package org.apache.hadoop.security.token.delegation.web;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.URL;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.UUID;
import java.util.concurrent.Callable;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.io.TestGenericWritable;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
import org.apache.zookeeper.client.ZooKeeperSaslClient;
import org.codehaus.jackson.map.ObjectMapper;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.servlet.Context;
import org.mortbay.jetty.servlet.FilterHolder;
import org.mortbay.jetty.servlet.ServletHolder;

/* JADX WARN: Classes with same name are omitted:
  input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.class
  input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.class
 */
/* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.class */
public class TestWebDelegationToken {
    private static final String OK_USER = "ok-user";
    private static final String FAIL_USER = "fail-user";
    private static final String FOO_USER = "foo";
    private Server jetty;

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$AFilter.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$AFilter.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$AFilter.class */
    public static class AFilter extends DelegationTokenAuthenticationFilter {
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
        public Properties getConfiguration(String str, FilterConfig filterConfig) {
            Properties properties = new Properties();
            properties.setProperty("type", DummyDelegationTokenAuthenticationHandler.class.getName());
            return properties;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyAuthenticationHandler.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyAuthenticationHandler.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyAuthenticationHandler.class */
    public static class DummyAuthenticationHandler implements AuthenticationHandler {
        @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
        public String getType() {
            return TestGenericWritable.CONF_TEST_VALUE;
        }

        @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
        public void init(Properties properties) throws ServletException {
        }

        @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
        public void destroy() {
        }

        @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
        public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
            return false;
        }

        @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
        public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
            AuthenticationToken authenticationToken = null;
            if (httpServletRequest.getParameter("authenticated") != null) {
                authenticationToken = new AuthenticationToken(httpServletRequest.getParameter("authenticated"), "U", "test");
            } else {
                httpServletResponse.setStatus(401);
                httpServletResponse.setHeader("WWW-Authenticate", TestGenericWritable.CONF_TEST_VALUE);
            }
            return authenticationToken;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyDelegationTokenAuthenticationHandler.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyDelegationTokenAuthenticationHandler.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyDelegationTokenAuthenticationHandler.class */
    public static class DummyDelegationTokenAuthenticationHandler extends DelegationTokenAuthenticationHandler {
        public DummyDelegationTokenAuthenticationHandler() {
            super(new DummyAuthenticationHandler());
        }

        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
        public void init(Properties properties) throws ServletException {
            Properties properties2 = new Properties(properties);
            properties2.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, "token-kind");
            initTokenManager(properties2);
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyDelegationTokenSecretManager.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyDelegationTokenSecretManager.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$DummyDelegationTokenSecretManager.class */
    private static class DummyDelegationTokenSecretManager extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
        public DummyDelegationTokenSecretManager() {
            super(10000L, 10000L, 10000L, 10000L);
        }

        @Override // org.apache.hadoop.security.token.SecretManager
        public DelegationTokenIdentifier createIdentifier() {
            return new DelegationTokenIdentifier(new Text("fooKind"));
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$KDTAFilter.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$KDTAFilter.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$KDTAFilter.class */
    public static class KDTAFilter extends DelegationTokenAuthenticationFilter {
        static String keytabFile;

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
        public Properties getConfiguration(String str, FilterConfig filterConfig) {
            Properties properties = new Properties();
            properties.setProperty("type", KerberosDelegationTokenAuthenticationHandler.class.getName());
            properties.setProperty(KerberosAuthenticationHandler.KEYTAB, keytabFile);
            properties.setProperty(KerberosAuthenticationHandler.PRINCIPAL, "HTTP/localhost");
            properties.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, "token-kind");
            return properties;
        }

        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter
        protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) throws ServletException {
            Configuration configuration = new Configuration(false);
            configuration.set("proxyuser.client.users", TestWebDelegationToken.OK_USER);
            configuration.set("proxyuser.client.hosts", "localhost");
            return configuration;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$KerberosConfiguration.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$KerberosConfiguration.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$KerberosConfiguration.class */
    public static class KerberosConfiguration extends javax.security.auth.login.Configuration {
        private String principal;
        private String keytab;

        public KerberosConfiguration(String str, String str2) {
            this.principal = str;
            this.keytab = str2;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("principal", this.principal);
            hashMap.put("keyTab", this.keytab);
            hashMap.put("useKeyTab", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("storeKey", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("doNotPrompt", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("useTicketCache", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("renewTGT", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("refreshKrb5Config", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("isInitiator", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            String str2 = System.getenv("KRB5CCNAME");
            if (str2 != null) {
                hashMap.put("ticketCache", str2);
            }
            hashMap.put("debug", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            return new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$NoDTFilter.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$NoDTFilter.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$NoDTFilter.class */
    public static class NoDTFilter extends AuthenticationFilter {
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
        public Properties getConfiguration(String str, FilterConfig filterConfig) {
            Properties properties = new Properties();
            properties.setProperty("type", PseudoAuthenticationHandler.TYPE);
            return properties;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$NoDTHandlerDTAFilter.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$NoDTHandlerDTAFilter.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$NoDTHandlerDTAFilter.class */
    public static class NoDTHandlerDTAFilter extends DelegationTokenAuthenticationFilter {
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
        public Properties getConfiguration(String str, FilterConfig filterConfig) {
            Properties properties = new Properties();
            properties.setProperty("type", PseudoAuthenticationHandler.TYPE);
            return properties;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$PingServlet.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$PingServlet.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$PingServlet.class */
    public static class PingServlet extends HttpServlet {
        @Override // javax.servlet.http.HttpServlet
        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
            httpServletResponse.setStatus(200);
            httpServletResponse.getWriter().write("ping");
            if (httpServletRequest.getHeader(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER) != null) {
                httpServletResponse.setHeader("UsingHeader", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            }
            if (httpServletRequest.getQueryString() == null || !httpServletRequest.getQueryString().contains("delegation=")) {
                return;
            }
            httpServletResponse.setHeader("UsingQueryString", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
        }

        @Override // javax.servlet.http.HttpServlet
        protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
            PrintWriter writer = httpServletResponse.getWriter();
            writer.write("ping: ");
            IOUtils.copy(httpServletRequest.getReader(), writer);
            httpServletResponse.setStatus(200);
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$PseudoDTAFilter.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$PseudoDTAFilter.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$PseudoDTAFilter.class */
    public static class PseudoDTAFilter extends DelegationTokenAuthenticationFilter {
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
        public Properties getConfiguration(String str, FilterConfig filterConfig) {
            Properties properties = new Properties();
            properties.setProperty("type", PseudoDelegationTokenAuthenticationHandler.class.getName());
            properties.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, "token-kind");
            return properties;
        }

        @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter
        protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) throws ServletException {
            Configuration configuration = new Configuration(false);
            configuration.set("proxyuser.foo.users", TestWebDelegationToken.OK_USER);
            configuration.set("proxyuser.foo.hosts", "localhost");
            return configuration;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$UGIServlet.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$UGIServlet.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$UGIServlet.class */
    public static class UGIServlet extends HttpServlet {
        @Override // javax.servlet.http.HttpServlet
        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
            UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
            if (userGroupInformation == null) {
                httpServletResponse.setStatus(500);
                return;
            }
            String str = "remoteuser=" + httpServletRequest.getRemoteUser() + ":ugi=" + userGroupInformation.getShortUserName();
            if (userGroupInformation.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
                str = "realugi=" + userGroupInformation.getRealUser().getShortUserName() + ":" + str;
            }
            httpServletResponse.setStatus(200);
            httpServletResponse.getWriter().write(str);
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$UserServlet.class
      input_file:hadoop-common-2.7.4/share/hadoop/common/hadoop-common-2.7.4-tests.jar:org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$UserServlet.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken$UserServlet.class */
    public static class UserServlet extends HttpServlet {
        @Override // javax.servlet.http.HttpServlet
        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
            httpServletResponse.setStatus(200);
            httpServletResponse.getWriter().write(httpServletRequest.getUserPrincipal().getName());
        }
    }

    protected Server createJettyServer() {
        try {
            ServerSocket serverSocket = new ServerSocket(0, 50, InetAddress.getLocalHost());
            int localPort = serverSocket.getLocalPort();
            serverSocket.close();
            this.jetty = new Server(0);
            this.jetty.getConnectors()[0].setHost("localhost");
            this.jetty.getConnectors()[0].setPort(localPort);
            return this.jetty;
        } catch (Exception e) {
            throw new RuntimeException("Could not setup Jetty: " + e.getMessage(), e);
        }
    }

    protected String getJettyURL() {
        Connector connector = this.jetty.getConnectors()[0];
        return "http://" + connector.getHost() + ":" + connector.getPort();
    }

    @Before
    public void setUp() throws Exception {
        UserGroupInformation.setConfiguration(new Configuration());
        this.jetty = createJettyServer();
    }

    @After
    public void cleanUp() throws Exception {
        this.jetty.stop();
        UserGroupInformation.setConfiguration(new Configuration());
    }

    protected Server getJetty() {
        return this.jetty;
    }

    @Test
    public void testRawHttpCalls() throws Exception {
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(AFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(PingServlet.class), "/bar");
        try {
            createJettyServer.start();
            URL url = new URL(getJettyURL() + "/foo/bar");
            URL url2 = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
            Assert.assertEquals(401L, ((HttpURLConnection) url.openConnection()).getResponseCode());
            Assert.assertEquals(200L, ((HttpURLConnection) url2.openConnection()).getResponseCode());
            Assert.assertEquals(401L, ((HttpURLConnection) new URL(url.toExternalForm() + "?op=GETDELEGATIONTOKEN").openConnection()).getResponseCode());
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(url2.toExternalForm() + "&op=GETDELEGATIONTOKEN&renewer=foo").openConnection();
            Assert.assertEquals(200L, httpURLConnection.getResponseCode());
            String str = (String) ((Map) ((Map) new ObjectMapper().readValue(httpURLConnection.getInputStream(), Map.class)).get(DelegationTokenAuthenticator.DELEGATION_TOKEN_JSON)).get(DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
            Assert.assertNotNull(str);
            Assert.assertEquals(200L, ((HttpURLConnection) new URL(url.toExternalForm() + "?delegation=" + str).openConnection()).getResponseCode());
            Assert.assertEquals(200L, ((HttpURLConnection) new URL(url2.toExternalForm() + "&delegation=" + str).openConnection()).getResponseCode());
            ((HttpURLConnection) new URL(url.toExternalForm() + "?op=RENEWDELEGATIONTOKEN&token=" + str).openConnection()).setRequestMethod("PUT");
            Assert.assertEquals(401L, r0.getResponseCode());
            ((HttpURLConnection) new URL(url2.toExternalForm() + "&op=RENEWDELEGATIONTOKEN&token=" + str).openConnection()).setRequestMethod("PUT");
            Assert.assertEquals(200L, r0.getResponseCode());
            ((HttpURLConnection) new URL(getJettyURL() + "/foo/bar?authenticated=bar&op=RENEWDELEGATIONTOKEN&token=" + str).openConnection()).setRequestMethod("PUT");
            Assert.assertEquals(403L, r0.getResponseCode());
            ((HttpURLConnection) new URL(url.toExternalForm() + "?op=CANCELDELEGATIONTOKEN&token=" + str).openConnection()).setRequestMethod("PUT");
            Assert.assertEquals(200L, r0.getResponseCode());
            ((HttpURLConnection) new URL(url.toExternalForm() + "?op=CANCELDELEGATIONTOKEN&token=" + str).openConnection()).setRequestMethod("PUT");
            Assert.assertEquals(404L, r0.getResponseCode());
            HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL(url2.toExternalForm() + "&op=GETDELEGATIONTOKEN&renewer=foo").openConnection();
            Assert.assertEquals(200L, httpURLConnection2.getResponseCode());
            String str2 = (String) ((Map) ((Map) new ObjectMapper().readValue(httpURLConnection2.getInputStream(), Map.class)).get(DelegationTokenAuthenticator.DELEGATION_TOKEN_JSON)).get(DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
            Assert.assertNotNull(str2);
            ((HttpURLConnection) new URL(url2.toExternalForm() + "&op=CANCELDELEGATIONTOKEN&token=" + str2).openConnection()).setRequestMethod("PUT");
            Assert.assertEquals(200L, r0.getResponseCode());
            createJettyServer.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            throw th;
        }
    }

    @Test
    public void testDelegationTokenAuthenticatorCallsWithHeader() throws Exception {
        testDelegationTokenAuthenticatorCalls(false);
    }

    @Test
    public void testDelegationTokenAuthenticatorCallsWithQueryString() throws Exception {
        testDelegationTokenAuthenticatorCalls(true);
    }

    private void testDelegationTokenAuthenticatorCalls(final boolean z) throws Exception {
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(AFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(PingServlet.class), "/bar");
        try {
            createJettyServer.start();
            final URL url = new URL(getJettyURL() + "/foo/bar");
            URL url2 = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
            URL url3 = new URL(getJettyURL() + "/foo/bar?authenticated=bar");
            DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
            final DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL();
            delegationTokenAuthenticatedURL.setUseQueryStringForDelegationToken(z);
            try {
                delegationTokenAuthenticatedURL.getDelegationToken(url, token, FOO_USER);
                Assert.fail();
            } catch (Exception e) {
                Assert.assertTrue(e.getMessage().contains("401"));
            }
            delegationTokenAuthenticatedURL.getDelegationToken(url2, token, FOO_USER);
            Assert.assertNotNull(token.getDelegationToken());
            Assert.assertEquals(new Text("token-kind"), token.getDelegationToken().getKind());
            delegationTokenAuthenticatedURL.renewDelegationToken(url2, token);
            try {
                delegationTokenAuthenticatedURL.renewDelegationToken(url, token);
                Assert.fail();
            } catch (Exception e2) {
                Assert.assertTrue(e2.getMessage().contains("401"));
            }
            delegationTokenAuthenticatedURL.getDelegationToken(url2, token, FOO_USER);
            try {
                delegationTokenAuthenticatedURL.renewDelegationToken(url3, token);
                Assert.fail();
            } catch (Exception e3) {
                Assert.assertTrue(e3.getMessage().contains("403"));
            }
            delegationTokenAuthenticatedURL.getDelegationToken(url2, token, FOO_USER);
            delegationTokenAuthenticatedURL.cancelDelegationToken(url2, token);
            delegationTokenAuthenticatedURL.getDelegationToken(url2, token, FOO_USER);
            delegationTokenAuthenticatedURL.cancelDelegationToken(url, token);
            delegationTokenAuthenticatedURL.getDelegationToken(url2, token, FOO_USER);
            try {
                delegationTokenAuthenticatedURL.renewDelegationToken(url, token);
            } catch (Exception e4) {
                Assert.assertTrue(e4.getMessage().contains("401"));
            }
            delegationTokenAuthenticatedURL.getDelegationToken(url2, token, FOO_USER);
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            currentUser.addToken(token.getDelegationToken());
            currentUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    HttpURLConnection openConnection = delegationTokenAuthenticatedURL.openConnection(url, new DelegationTokenAuthenticatedURL.Token());
                    Assert.assertEquals(200L, openConnection.getResponseCode());
                    if (z) {
                        Assert.assertNull(openConnection.getHeaderField("UsingHeader"));
                        Assert.assertNotNull(openConnection.getHeaderField("UsingQueryString"));
                        return null;
                    }
                    Assert.assertNotNull(openConnection.getHeaderField("UsingHeader"));
                    Assert.assertNull(openConnection.getHeaderField("UsingQueryString"));
                    return null;
                }
            });
            createJettyServer.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            throw th;
        }
    }

    @Test
    public void testExternalDelegationTokenSecretManager() throws Exception {
        DummyDelegationTokenSecretManager dummyDelegationTokenSecretManager = new DummyDelegationTokenSecretManager();
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(AFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(PingServlet.class), "/bar");
        try {
            dummyDelegationTokenSecretManager.startThreads();
            context.setAttribute(DelegationTokenAuthenticationFilter.DELEGATION_TOKEN_SECRET_MANAGER_ATTR, dummyDelegationTokenSecretManager);
            createJettyServer.start();
            URL url = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
            DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
            new DelegationTokenAuthenticatedURL().getDelegationToken(url, token, FOO_USER);
            Assert.assertNotNull(token.getDelegationToken());
            Assert.assertEquals(new Text("fooKind"), token.getDelegationToken().getKind());
            createJettyServer.stop();
            dummyDelegationTokenSecretManager.stopThreads();
        } catch (Throwable th) {
            createJettyServer.stop();
            dummyDelegationTokenSecretManager.stopThreads();
            throw th;
        }
    }

    @Test
    public void testDelegationTokenAuthenticationURLWithNoDTFilter() throws Exception {
        testDelegationTokenAuthenticatedURLWithNoDT(NoDTFilter.class);
    }

    @Test
    public void testDelegationTokenAuthenticationURLWithNoDTHandler() throws Exception {
        testDelegationTokenAuthenticatedURLWithNoDT(NoDTHandlerDTAFilter.class);
    }

    private void testDelegationTokenAuthenticatedURLWithNoDT(Class<? extends Filter> cls) throws Exception {
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(cls), "/*", 0);
        context.addServlet(new ServletHolder(UserServlet.class), "/bar");
        try {
            createJettyServer.start();
            final URL url = new URL(getJettyURL() + "/foo/bar");
            UserGroupInformation.createRemoteUser(FOO_USER).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
                    DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL();
                    HttpURLConnection openConnection = delegationTokenAuthenticatedURL.openConnection(url, token);
                    Assert.assertEquals(200L, openConnection.getResponseCode());
                    List<String> readLines = IOUtils.readLines(openConnection.getInputStream());
                    Assert.assertEquals(1L, readLines.size());
                    Assert.assertEquals(TestWebDelegationToken.FOO_USER, readLines.get(0));
                    try {
                        delegationTokenAuthenticatedURL.getDelegationToken(url, token, TestWebDelegationToken.FOO_USER);
                        Assert.fail();
                        return null;
                    } catch (AuthenticationException e) {
                        Assert.assertTrue(e.getMessage().contains("delegation token operation"));
                        return null;
                    }
                }
            });
            createJettyServer.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            throw th;
        }
    }

    @Test
    public void testFallbackToPseudoDelegationTokenAuthenticator() throws Exception {
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(PseudoDTAFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(UserServlet.class), "/bar");
        try {
            createJettyServer.start();
            final URL url = new URL(getJettyURL() + "/foo/bar");
            UserGroupInformation.createRemoteUser(FOO_USER).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
                    DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL();
                    HttpURLConnection openConnection = delegationTokenAuthenticatedURL.openConnection(url, token);
                    Assert.assertEquals(200L, openConnection.getResponseCode());
                    List<String> readLines = IOUtils.readLines(openConnection.getInputStream());
                    Assert.assertEquals(1L, readLines.size());
                    Assert.assertEquals(TestWebDelegationToken.FOO_USER, readLines.get(0));
                    delegationTokenAuthenticatedURL.getDelegationToken(url, token, TestWebDelegationToken.FOO_USER);
                    Assert.assertNotNull(token.getDelegationToken());
                    Assert.assertEquals(new Text("token-kind"), token.getDelegationToken().getKind());
                    return null;
                }
            });
            createJettyServer.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            throw th;
        }
    }

    public static <T> T doAsKerberosUser(String str, String str2, final Callable<T> callable) throws Exception {
        LoginContext loginContext = null;
        try {
            try {
                HashSet hashSet = new HashSet();
                hashSet.add(new KerberosPrincipal(str));
                loginContext = new LoginContext("", new Subject(false, hashSet, new HashSet(), new HashSet()), (CallbackHandler) null, new KerberosConfiguration(str, str2));
                loginContext.login();
                T t = (T) Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<T>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.4
                    @Override // java.security.PrivilegedExceptionAction
                    public T run() throws Exception {
                        return (T) callable.call();
                    }
                });
                if (loginContext != null) {
                    loginContext.logout();
                }
                return t;
            } catch (PrivilegedActionException e) {
                throw e.getException();
            }
        } catch (Throwable th) {
            if (loginContext != null) {
                loginContext.logout();
            }
            throw th;
        }
    }

    @Test
    public void testKerberosDelegationTokenAuthenticator() throws Exception {
        testKerberosDelegationTokenAuthenticator(false);
    }

    @Test
    public void testKerberosDelegationTokenAuthenticatorWithDoAs() throws Exception {
        testKerberosDelegationTokenAuthenticator(true);
    }

    private void testKerberosDelegationTokenAuthenticator(final boolean z) throws Exception {
        final String str = z ? OK_USER : null;
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File file = new File("target/" + UUID.randomUUID().toString());
        Assert.assertTrue(file.mkdirs());
        MiniKdc miniKdc = new MiniKdc(MiniKdc.createConf(), file);
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(KDTAFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(UserServlet.class), "/bar");
        try {
            miniKdc.start();
            File file2 = new File(file, "test.keytab");
            miniKdc.createPrincipal(file2, new String[]{"client", "HTTP/localhost"});
            KDTAFilter.keytabFile = file2.getAbsolutePath();
            createJettyServer.start();
            final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
            final DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL();
            final URL url = new URL(getJettyURL() + "/foo/bar");
            try {
                delegationTokenAuthenticatedURL.getDelegationToken(url, token, FOO_USER, str);
                Assert.fail();
            } catch (AuthenticationException e) {
                Assert.assertTrue(e.getMessage().contains("GSSException"));
            }
            doAsKerberosUser("client", file2.getAbsolutePath(), new Callable<Void>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Void call() throws Exception {
                    delegationTokenAuthenticatedURL.getDelegationToken(url, token, z ? str : "client", str);
                    Assert.assertNotNull(token.getDelegationToken());
                    Assert.assertEquals(new Text("token-kind"), token.getDelegationToken().getKind());
                    DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(token.getDelegationToken().getIdentifier()));
                    DelegationTokenIdentifier delegationTokenIdentifier = new DelegationTokenIdentifier(new Text("token-kind"));
                    delegationTokenIdentifier.readFields(dataInputStream);
                    dataInputStream.close();
                    Assert.assertEquals(z ? new Text(TestWebDelegationToken.OK_USER) : new Text("client"), delegationTokenIdentifier.getOwner());
                    if (z) {
                        Assert.assertEquals(new Text("client"), delegationTokenIdentifier.getRealUser());
                    }
                    delegationTokenAuthenticatedURL.renewDelegationToken(url, token, str);
                    Assert.assertNotNull(token.getDelegationToken());
                    delegationTokenAuthenticatedURL.getDelegationToken(url, token, TestWebDelegationToken.FOO_USER, str);
                    Assert.assertNotNull(token.getDelegationToken());
                    try {
                        delegationTokenAuthenticatedURL.renewDelegationToken(url, token, str);
                        Assert.fail();
                    } catch (Exception e2) {
                        Assert.assertTrue(e2.getMessage().contains("403"));
                    }
                    delegationTokenAuthenticatedURL.getDelegationToken(url, token, TestWebDelegationToken.FOO_USER, str);
                    delegationTokenAuthenticatedURL.cancelDelegationToken(url, token, str);
                    Assert.assertNull(token.getDelegationToken());
                    return null;
                }
            });
            createJettyServer.stop();
            miniKdc.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            miniKdc.stop();
            throw th;
        }
    }

    @Test
    public void testProxyUser() throws Exception {
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(PseudoDTAFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(UserServlet.class), "/bar");
        try {
            createJettyServer.start();
            final URL url = new URL(getJettyURL() + "/foo/bar");
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(String.format("%s?user.name=%s&doas=%s", url.toExternalForm(), FOO_USER, OK_USER)).openConnection();
            Assert.assertEquals(200L, httpURLConnection.getResponseCode());
            List<String> readLines = IOUtils.readLines(httpURLConnection.getInputStream());
            Assert.assertEquals(1L, readLines.size());
            Assert.assertEquals(OK_USER, readLines.get(0));
            HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL(String.format("%s?user.name=%s&DOAS=%s", url.toExternalForm(), FOO_USER, OK_USER)).openConnection();
            Assert.assertEquals(200L, httpURLConnection2.getResponseCode());
            List<String> readLines2 = IOUtils.readLines(httpURLConnection2.getInputStream());
            Assert.assertEquals(1L, readLines2.size());
            Assert.assertEquals(OK_USER, readLines2.get(0));
            UserGroupInformation.createRemoteUser(FOO_USER).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.6
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
                    DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL();
                    HttpURLConnection openConnection = delegationTokenAuthenticatedURL.openConnection(url, token, TestWebDelegationToken.OK_USER);
                    Assert.assertEquals(200L, openConnection.getResponseCode());
                    List<String> readLines3 = IOUtils.readLines(openConnection.getInputStream());
                    Assert.assertEquals(1L, readLines3.size());
                    Assert.assertEquals(TestWebDelegationToken.OK_USER, readLines3.get(0));
                    Assert.assertEquals(403L, delegationTokenAuthenticatedURL.openConnection(url, token, TestWebDelegationToken.FAIL_USER).getResponseCode());
                    delegationTokenAuthenticatedURL.getDelegationToken(url, token, TestWebDelegationToken.FOO_USER);
                    UserGroupInformation.getCurrentUser().addToken(token.getDelegationToken());
                    HttpURLConnection openConnection2 = delegationTokenAuthenticatedURL.openConnection(url, new DelegationTokenAuthenticatedURL.Token(), TestWebDelegationToken.OK_USER);
                    Assert.assertEquals(200L, openConnection2.getResponseCode());
                    List<String> readLines4 = IOUtils.readLines(openConnection2.getInputStream());
                    Assert.assertEquals(1L, readLines4.size());
                    Assert.assertEquals(TestWebDelegationToken.FOO_USER, readLines4.get(0));
                    return null;
                }
            });
            createJettyServer.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            throw th;
        }
    }

    @Test
    public void testHttpUGI() throws Exception {
        Server createJettyServer = createJettyServer();
        Context context = new Context();
        context.setContextPath("/foo");
        createJettyServer.setHandler(context);
        context.addFilter(new FilterHolder(PseudoDTAFilter.class), "/*", 0);
        context.addServlet(new ServletHolder(UGIServlet.class), "/bar");
        try {
            createJettyServer.start();
            final URL url = new URL(getJettyURL() + "/foo/bar");
            UserGroupInformation.createRemoteUser(FOO_USER).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.7
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
                    DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL();
                    HttpURLConnection openConnection = delegationTokenAuthenticatedURL.openConnection(url, token);
                    Assert.assertEquals(200L, openConnection.getResponseCode());
                    List<String> readLines = IOUtils.readLines(openConnection.getInputStream());
                    Assert.assertEquals(1L, readLines.size());
                    Assert.assertEquals("remoteuser=foo:ugi=foo", readLines.get(0));
                    HttpURLConnection openConnection2 = delegationTokenAuthenticatedURL.openConnection(url, token, TestWebDelegationToken.OK_USER);
                    Assert.assertEquals(200L, openConnection2.getResponseCode());
                    List<String> readLines2 = IOUtils.readLines(openConnection2.getInputStream());
                    Assert.assertEquals(1L, readLines2.size());
                    Assert.assertEquals("realugi=foo:remoteuser=ok-user:ugi=ok-user", readLines2.get(0));
                    return null;
                }
            });
            createJettyServer.stop();
        } catch (Throwable th) {
            createJettyServer.stop();
            throw th;
        }
    }
}
