package org.apache.impala.customcluster;

import java.io.File;
import java.util.HashMap;
import java.util.List;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.integ.CreateLdapServerRule;
import org.apache.hive.service.rpc.thrift.TCLIService;
import org.apache.hive.service.rpc.thrift.TCancelOperationReq;
import org.apache.hive.service.rpc.thrift.TCancelOperationResp;
import org.apache.hive.service.rpc.thrift.TColumn;
import org.apache.hive.service.rpc.thrift.TExecuteStatementReq;
import org.apache.hive.service.rpc.thrift.TExecuteStatementResp;
import org.apache.hive.service.rpc.thrift.TFetchOrientation;
import org.apache.hive.service.rpc.thrift.TFetchResultsReq;
import org.apache.hive.service.rpc.thrift.TFetchResultsResp;
import org.apache.hive.service.rpc.thrift.TOpenSessionReq;
import org.apache.hive.service.rpc.thrift.TOpenSessionResp;
import org.apache.hive.service.rpc.thrift.TOperationHandle;
import org.apache.hive.service.rpc.thrift.TSessionHandle;
import org.apache.hive.service.rpc.thrift.TStatus;
import org.apache.hive.service.rpc.thrift.TStatusCode;
import org.apache.impala.testutil.LdapUtil;
import org.apache.impala.util.Metrics;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.transport.THttpClient;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", address = "localhost")})
@CreateDS(name = "myDS", partitions = {@CreatePartition(name = "test", suffix = "dc=myorg,dc=com")})
@ApplyLdifFiles({"users.ldif"})
/* loaded from: input_file:org/apache/impala/customcluster/LdapHS2Test.class */
public class LdapHS2Test {

    @ClassRule
    public static CreateLdapServerRule serverRule = new CreateLdapServerRule();
    Metrics metrics = new Metrics();

    public void setUp(String str) throws Exception {
        Assert.assertEquals(CustomClusterRunner.StartImpalaCluster(String.format("--enable_ldap_auth --ldap_uri='%s' --ldap_bind_pattern='%s' --ldap_passwords_in_clear_ok %s ", String.format("ldap://localhost:%s", Integer.valueOf(serverRule.getLdapServer().getPort())), "cn=#UID,ou=Users,dc=myorg,dc=com", str)), 0L);
    }

    static void verifySuccess(TStatus tStatus) throws Exception {
        if (tStatus.getStatusCode() != TStatusCode.SUCCESS_STATUS && tStatus.getStatusCode() != TStatusCode.SUCCESS_WITH_INFO_STATUS) {
            throw new Exception(tStatus.toString());
        }
    }

    static TOperationHandle execAndFetch(TCLIService.Iface iface, TSessionHandle tSessionHandle, String str, String str2) throws Exception {
        TExecuteStatementResp ExecuteStatement = iface.ExecuteStatement(new TExecuteStatementReq(tSessionHandle, str));
        verifySuccess(ExecuteStatement.getStatus());
        TFetchResultsResp FetchResults = iface.FetchResults(new TFetchResultsReq(ExecuteStatement.getOperationHandle(), TFetchOrientation.FETCH_NEXT, 1000L));
        verifySuccess(FetchResults.getStatus());
        List columns = FetchResults.getResults().getColumns();
        Assert.assertEquals(1L, columns.size());
        Assert.assertEquals(str2, ((TColumn) columns.get(0)).getStringVal().getValues().get(0));
        return ExecuteStatement.getOperationHandle();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static TOperationHandle execQueryAsync(TCLIService.Iface iface, TSessionHandle tSessionHandle, String str) throws Exception {
        TExecuteStatementResp ExecuteStatement = iface.ExecuteStatement(new TExecuteStatementReq(tSessionHandle, str));
        verifySuccess(ExecuteStatement.getStatus());
        return ExecuteStatement.getOperationHandle();
    }

    private void verifyMetrics(long j, long j2) throws Exception {
        Assert.assertEquals(j, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-basic-auth-success")).longValue());
        Assert.assertEquals(j2, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-basic-auth-failure")).longValue());
    }

    private void verifyCookieMetrics(long j, long j2) throws Exception {
        Assert.assertEquals(j, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-success")).longValue());
        Assert.assertEquals(j2, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-failure")).longValue());
    }

    private void verifyTrustedDomainMetrics(long j) throws Exception {
        Assert.assertEquals(j, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-trusted-domain-check-success")).longValue());
    }

    private void verifyTrustedAuthHeaderMetrics(long j) throws Exception {
        Assert.assertEquals(j, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-trusted-auth-header-check-success")).longValue());
    }

    private void verifyJwtAuthMetrics(long j, long j2) throws Exception {
        Assert.assertEquals(j, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-jwt-token-auth-success")).longValue());
        Assert.assertEquals(j2, ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-jwt-token-auth-failure")).longValue());
    }

    @Test
    public void testHiveserver2() throws Exception {
        setUp("");
        verifyMetrics(0L, 0L);
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        verifyMetrics(1L, 0L);
        TOperationHandle execAndFetch = execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(3L, 0L);
        hashMap.put("Authorization", "Basic VGVzdDJMZGFwOmFiY2Rl");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            execAndFetch(client, OpenSession.getSessionHandle(), "select 1", "1");
            Assert.fail("Expected error: The user authorized on the connection 'Test2Ldap' does not match the session username 'Test1Ldap'\n");
        } catch (Exception e) {
            Assert.assertTrue(e.getMessage().contains("The user authorized on the connection 'Test2Ldap' does not match the session username 'Test1Ldap'\n"));
            verifyMetrics(4L, 0L);
        }
        TCancelOperationResp CancelOperation = client.CancelOperation(new TCancelOperationReq(execAndFetch));
        verifyMetrics(5L, 0L);
        Assert.assertEquals(CancelOperation.getStatus().getStatusCode(), TStatusCode.ERROR_STATUS);
        Assert.assertEquals(CancelOperation.getStatus().getErrorMessage(), "The user authorized on the connection 'Test2Ldap' does not match the session username 'Test1Ldap'\n");
        new TOpenSessionReq();
        TOpenSessionResp OpenSession2 = client.OpenSession(tOpenSessionReq);
        verifyMetrics(6L, 0L);
        execAndFetch(client, OpenSession2.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_2);
        verifyMetrics(8L, 0L);
        int i = 0;
        for (String str : new String[]{"Basic VGVzdDJMZGFwOjEyMzQ1", "Basic invalid-base64"}) {
            hashMap.put("Authorization", str);
            tHttpClient.setCustomHeaders(hashMap);
            try {
                new TOpenSessionReq();
                client.OpenSession(tOpenSessionReq);
                Assert.fail("Exception exception.");
            } catch (Exception e2) {
                i++;
                verifyMetrics(8L, i);
                Assert.assertEquals(e2.getMessage(), "HTTP Response code: 401");
            }
        }
        hashMap.put("Authorization", "Negotiate VGVzdDFMZGFwOjEyMzQ1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            new TOpenSessionReq();
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception exception.");
        } catch (Exception e3) {
            verifyMetrics(8L, i);
            Assert.assertEquals(e3.getMessage(), "HTTP Response code: 401");
        }
        hashMap.put("Authorization", "Basic VGVzdDJMZGFwOmFiY2Rl");
        hashMap.put("Cookie", "invalid-cookie");
        tHttpClient.setCustomHeaders(hashMap);
        new TOpenSessionReq();
        client.OpenSession(tOpenSessionReq);
        verifyMetrics(9L, i);
        int i2 = 1;
        verifyCookieMetrics(0L, 1);
        hashMap.remove("Authorization");
        for (String str2 : new String[]{"invalid-format", "x&impala&0&0", "eA==&impala&0&0", "\"eA==&impala&0&0\"", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=&impala&0&0"}) {
            hashMap.put("Cookie", "impala.auth=" + str2);
            tHttpClient.setCustomHeaders(hashMap);
            try {
                new TOpenSessionReq();
                client.OpenSession(tOpenSessionReq);
                Assert.fail("Exception exception from cookie: " + str2);
            } catch (Exception e4) {
                i2++;
                verifyMetrics(9L, i);
                verifyCookieMetrics(0L, i2);
                Assert.assertEquals(e4.getMessage(), "HTTP Response code: 401");
            }
        }
    }

    @Test
    public void testHS2Impersonation() throws Exception {
        setUp(String.format("--ldap_group_filter=%s,another-group --ldap_user_filter=%s,%s,another-user --ldap_group_dn_pattern=%s --ldap_group_membership_key=uniqueMember --ldap_group_class_key=groupOfUniqueNames --authorized_proxy_user_config=%s=* --ldap_bind_dn=%s --ldap_bind_password_cmd='echo -n %s' ", LdapUtil.TEST_USER_GROUP, LdapUtil.TEST_USER_1, LdapUtil.TEST_USER_3, LdapUtil.GROUP_DN_PATTERN, LdapUtil.TEST_USER_4, LdapUtil.TEST_USER_DN_1, LdapUtil.TEST_PASSWORD_1));
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Basic VGVzdDRMZGFwOmZnaGlq");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        Assert.assertEquals(client.OpenSession(tOpenSessionReq).getStatus().getStatusCode(), TStatusCode.ERROR_STATUS);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("impala.doas.user", LdapUtil.TEST_USER_1);
        tOpenSessionReq.setConfiguration(hashMap2);
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        Assert.assertEquals(OpenSession.getStatus().getStatusCode(), TStatusCode.SUCCESS_STATUS);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        hashMap2.put("impala.doas.user", LdapUtil.TEST_USER_2);
        Assert.assertEquals(client.OpenSession(tOpenSessionReq).getStatus().getStatusCode(), TStatusCode.ERROR_STATUS);
        hashMap2.put("impala.doas.user", LdapUtil.TEST_USER_3);
        Assert.assertEquals(client.OpenSession(tOpenSessionReq).getStatus().getStatusCode(), TStatusCode.ERROR_STATUS);
        hashMap2.put("impala.doas.user", LdapUtil.TEST_USER_4);
        Assert.assertEquals(client.OpenSession(tOpenSessionReq).getStatus().getStatusCode(), TStatusCode.ERROR_STATUS);
    }

    @Test
    public void testHiveserver2TrustedDomainAuth() throws Exception {
        setUp("--trusted_domain=localhost --trusted_domain_use_xff_header=true");
        verifyMetrics(0L, 0L);
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        verifyMetrics(0L, 0L);
        verifyTrustedDomainMetrics(1L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(0L, 0L);
        verifyTrustedDomainMetrics(3L);
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOg==");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        TOpenSessionResp OpenSession2 = client.OpenSession(tOpenSessionReq);
        verifyMetrics(0L, 0L);
        verifyTrustedDomainMetrics(4L);
        execAndFetch(client, OpenSession2.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(0L, 0L);
        verifyTrustedDomainMetrics(6L);
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOg==");
        hashMap.remove("X-Forwarded-For");
        hashMap.put("x-Forwarded-for", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        TOpenSessionResp OpenSession3 = client.OpenSession(tOpenSessionReq);
        verifyMetrics(0L, 0L);
        verifyTrustedDomainMetrics(7L);
        execAndFetch(client, OpenSession3.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(0L, 0L);
        verifyTrustedDomainMetrics(9L);
        hashMap.remove("x-Forwarded-for");
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        hashMap.put("X-Forwarded-For", "127.23.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        TOpenSessionResp OpenSession4 = client.OpenSession(tOpenSessionReq);
        verifyMetrics(1L, 0L);
        verifyTrustedDomainMetrics(9L);
        execAndFetch(client, OpenSession4.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(3L, 0L);
        verifyTrustedDomainMetrics(9L);
        hashMap.remove("Authorization");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception exception.");
        } catch (Exception e) {
            verifyTrustedDomainMetrics(9L);
            Assert.assertEquals(e.getMessage(), "HTTP Response code: 401");
        }
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOg==");
        hashMap.put("X-Forwarded-For", "127.23.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception exception.");
        } catch (Exception e2) {
            verifyMetrics(3L, 1L);
            verifyTrustedDomainMetrics(9L);
            Assert.assertEquals(e2.getMessage(), "HTTP Response code: 401");
        }
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        hashMap.remove("X-Forwarded-For");
        tHttpClient.setCustomHeaders(hashMap);
        client.OpenSession(tOpenSessionReq);
        verifyMetrics(4L, 1L);
        verifyTrustedDomainMetrics(9L);
    }

    @Test
    public void testHiveserver2TrustedAuthHeader() throws Exception {
        setUp("--trusted_auth_header=X-Trusted-Proxy-Auth-Header");
        verifyMetrics(0L, 0L);
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        hashMap.put("X-Trusted-Proxy-Auth-Header", "on");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        verifyMetrics(0L, 0L);
        verifyTrustedAuthHeaderMetrics(1L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(0L, 0L);
        verifyTrustedAuthHeaderMetrics(3L);
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOg==");
        hashMap.put("X-Trusted-Proxy-Auth-Header", "");
        tHttpClient.setCustomHeaders(hashMap);
        TOpenSessionResp OpenSession2 = client.OpenSession(tOpenSessionReq);
        verifyMetrics(0L, 0L);
        verifyTrustedAuthHeaderMetrics(4L);
        execAndFetch(client, OpenSession2.getSessionHandle(), "select logged_in_user()", LdapUtil.TEST_USER_1);
        verifyMetrics(0L, 0L);
        verifyTrustedAuthHeaderMetrics(6L);
        hashMap.remove("Authorization");
        hashMap.put("X-Trusted-Proxy-Auth-Header", "on");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception exception.");
        } catch (Exception e) {
            verifyTrustedAuthHeaderMetrics(6L);
            Assert.assertEquals(e.getMessage(), "HTTP Response code: 401");
        }
        long longValue = ((Long) this.metrics.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-trusted-auth-header-check-success")).longValue();
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        hashMap.remove("X-Trusted-Proxy-Auth-Header");
        tHttpClient.setCustomHeaders(hashMap);
        client.OpenSession(tOpenSessionReq);
        verifyMetrics(1L, 0L);
        verifyTrustedAuthHeaderMetrics(longValue);
    }

    @Test
    public void testHiveserver2JwtAuth() throws Exception {
        setUp(String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_file_path=%s --jwt_allow_without_tls=true", new File(System.getenv("IMPALA_HOME"), "testdata/jwt/jwks_rs256.json").getPath()));
        verifyMetrics(0L, 0L);
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpjNDI0YjY3Yi1mZTI4LTQ1ZDctYjAxNS1mNzlkYTUwYjViMjEiLCJ0eXAiOiJKV1MifQ.eyJpc3MiOiJhdXRoMCIsInVzZXJuYW1lIjoiaW1wYWxhIn0.OW5H2SClLlsotsCarTHYEbqlbRh43LFwOyo9WubpNTwE7hTuJDsnFoVrvHiWI02W69TZNat7DYcC86A_ogLMfNXagHjlMFJaRnvG5Ekag8NRuZNJmHVqfX-qr6x7_8mpOdU554kc200pqbpYLhhuK4Qf7oT7y9mOrtNrUKGDCZ0Q2y_mizlbY6SMg4RWqSz0RQwJbRgXIWSgcbZd0GbD_MQQ8x7WRE4nluU-5Fl4N2Wo8T9fNTuxALPiuVeIczO25b5n4fryfKasSgaZfmk0CoOJzqbtmQxqiK9QNSJAiH2kaqMwLNgAdgn8fbd-lB1RAEGeyPH8Px8ipqcKsPk0bg");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        verifyMetrics(0L, 0L);
        verifyJwtAuthMetrics(1L, 0L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", "impala");
        verifyMetrics(0L, 0L);
        verifyJwtAuthMetrics(3L, 0L);
        hashMap.put("Authorization", "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpjNDI0YjY3Yi1mZTI4LTQ1ZDctYjAxNS1mNzlkYTUwYjViMjEiLCJ0eXAiOiJKV1MifQ.eyJpc3MiOiJhdXRoMCIsInVzZXJuYW1lIjoiaW1wYWxhIn0.");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception exception.");
        } catch (Exception e) {
            verifyJwtAuthMetrics(3L, 1L);
            Assert.assertEquals(e.getMessage(), "HTTP Response code: 401");
        }
    }
}
