package org.apache.hadoop.security;

import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.CyclicBarrier;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.test.GenericTestUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
import org.slf4j.event.Level;

/* loaded from: input_file:org/apache/hadoop/security/TestUGILoginFromKeytab.class */
public class TestUGILoginFromKeytab {
    private MiniKdc kdc;
    private File workDir;
    private ExecutorService executor;

    @Rule
    public final TemporaryFolder folder = new TemporaryFolder();

    @Before
    public void startMiniKdc() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        UserGroupInformation.setShouldRenewImmediatelyForTests(true);
        this.workDir = this.folder.getRoot();
        this.kdc = new MiniKdc(MiniKdc.createConf(), this.workDir);
        this.kdc.start();
        this.executor = Executors.newCachedThreadPool();
    }

    @After
    public void stopMiniKdc() {
        if (this.kdc != null) {
            this.kdc.stop();
        }
        if (this.executor != null) {
            this.executor.shutdownNow();
        }
    }

    @Test
    public void testUGILoginFromKeytab() throws Exception {
        File file = new File(this.workDir, "foo.keytab");
        this.kdc.createPrincipal(file, new String[]{"foo"});
        UserGroupInformation.loginUserFromKeytab("foo", file.getPath());
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        Assert.assertTrue("UGI should be configured to login from keytab", loginUser.isFromKeytab());
        User user = getUser(loginUser.getSubject());
        long lastLogin = user.getLastLogin();
        LoginContext login = user.getLogin();
        Assert.assertNotNull(login);
        loginUser.reloginFromKeytab();
        long lastLogin2 = user.getLastLogin();
        LoginContext login2 = user.getLogin();
        Assert.assertTrue("User should have been able to relogin from keytab", lastLogin2 > lastLogin);
        Assert.assertNotNull(login2);
        Assert.assertNotSame(login, login2);
    }

    @Test
    public void testGetUGIFromKnownSubject() throws Exception {
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("user");
        File file = new File(this.workDir, "user.keytab");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        Subject subject = UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal.getName(), file.getPath()).getSubject();
        User user = getUser(subject);
        Assert.assertNotNull(user);
        LoginContext login = user.getLogin();
        Assert.assertNotNull(login);
        Assert.assertSame(user, getUser(UserGroupInformation.getUGIFromSubject(subject).getSubject()));
        Assert.assertSame(login, user.getLogin());
    }

    @Test
    public void testGetUGIFromExternalSubject() throws Exception {
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("user");
        File file = new File(this.workDir, "user.keytab");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        Subject subject = UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal.getName(), file.getPath()).getSubject();
        removeUser(subject);
        Assert.assertSame(subject, UserGroupInformation.getUGIFromSubject(subject).getSubject());
        User user = getUser(subject);
        Assert.assertNotNull(user);
        Assert.assertEquals(kerberosPrincipal.getName(), user.getName());
        Assert.assertNull(user.getLogin());
        UserGroupInformation uGIFromSubject = UserGroupInformation.getUGIFromSubject(subject);
        Assert.assertSame(subject, uGIFromSubject.getSubject());
        Assert.assertSame(user, getUser(uGIFromSubject.getSubject()));
        Assert.assertNull(user.getLogin());
    }

    @Test
    public void testGetUGIFromExternalSubjectWithLogin() throws Exception {
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("user");
        File file = new File(this.workDir, "user.keytab");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        Subject subject = UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal.getName(), file.getPath()).getSubject();
        User user = getUser(subject);
        LoginContext loginContext = (LoginContext) Mockito.mock(LoginContext.class);
        user.setLogin(loginContext);
        UserGroupInformation uGIFromSubject = UserGroupInformation.getUGIFromSubject(subject);
        Assert.assertSame(subject, uGIFromSubject.getSubject());
        Assert.assertSame(user, getUser(uGIFromSubject.getSubject()));
        Assert.assertSame(loginContext, user.getLogin());
    }

    @Test
    public void testUGIRefreshFromKeytab() throws Exception {
        Configuration configuration = new Configuration();
        configuration.setBoolean("hadoop.kerberos.keytab.login.autorenewal.enabled", true);
        SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
        UserGroupInformation.setConfiguration(configuration);
        File file = new File(this.workDir, "bar.keytab");
        this.kdc.createPrincipal(file, new String[]{"bar"});
        UserGroupInformation.loginUserFromKeytab("bar", file.getPath());
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, loginUser.getAuthenticationMethod());
        Assert.assertTrue(loginUser.isFromKeytab());
        Assert.assertTrue(UserGroupInformation.isKerberosKeyTabLoginRenewalEnabled());
        Assert.assertTrue(UserGroupInformation.getKerberosLoginRenewalExecutor().isPresent());
    }

    @Test
    public void testUGIRefreshFromKeytabDisabled() throws Exception {
        GenericTestUtils.setLogLevel(UserGroupInformation.LOG, Level.DEBUG);
        Configuration configuration = new Configuration();
        configuration.setLong("hadoop.kerberos.min.seconds.before.relogin", 1L);
        configuration.setBoolean("hadoop.kerberos.keytab.login.autorenewal.enabled", false);
        SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
        UserGroupInformation.setConfiguration(configuration);
        File file = new File(this.workDir, "bar.keytab");
        this.kdc.createPrincipal(file, new String[]{"bar"});
        UserGroupInformation.loginUserFromKeytab("bar", file.getPath());
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, loginUser.getAuthenticationMethod());
        Assert.assertTrue(loginUser.isFromKeytab());
        Assert.assertFalse(UserGroupInformation.isKerberosKeyTabLoginRenewalEnabled());
        Assert.assertFalse(UserGroupInformation.getKerberosLoginRenewalExecutor().isPresent());
    }

    private static KerberosTicket getTicket(UserGroupInformation userGroupInformation) {
        Set privateCredentials = userGroupInformation.getSubject().getPrivateCredentials(KerberosTicket.class);
        if (privateCredentials.isEmpty()) {
            return null;
        }
        return (KerberosTicket) privateCredentials.iterator().next();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KerberosTicket checkTicketAndKeytab(UserGroupInformation userGroupInformation, KerberosPrincipal kerberosPrincipal, boolean z) {
        Assert.assertEquals("wrong principal", kerberosPrincipal.getName(), userGroupInformation.getUserName());
        Assert.assertEquals("is not keytab", Boolean.valueOf(z), Boolean.valueOf(userGroupInformation.isFromKeytab()));
        KerberosTicket ticket = getTicket(userGroupInformation);
        Assert.assertNotNull("no ticket", ticket);
        Assert.assertEquals("wrong principal", kerberosPrincipal, ticket.getClient());
        return ticket;
    }

    @Test
    public void testReloginForUGIFromSubject() throws Exception {
        final KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("user1");
        File file = new File(this.workDir, "user1.keytab");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        final KerberosPrincipal kerberosPrincipal2 = new KerberosPrincipal("user2");
        File file2 = new File(this.workDir, "user2.keytab");
        this.kdc.createPrincipal(file2, new String[]{kerberosPrincipal2.getName()});
        final Subject subject = UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal2.getName(), file2.getPath()).getSubject();
        removeUser(subject);
        UserGroupInformation.loginUserFromKeytab(kerberosPrincipal.getName(), file.getPath());
        final UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        loginUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws IOException {
                KerberosTicket checkTicketAndKeytab = TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser, kerberosPrincipal, true);
                UserGroupInformation uGIFromSubject = UserGroupInformation.getUGIFromSubject(subject);
                KerberosTicket checkTicketAndKeytab2 = TestUGILoginFromKeytab.checkTicketAndKeytab(uGIFromSubject, kerberosPrincipal2, false);
                loginUser.reloginFromKeytab();
                KerberosTicket checkTicketAndKeytab3 = TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser, kerberosPrincipal, true);
                Assert.assertNotEquals(checkTicketAndKeytab.getAuthTime(), checkTicketAndKeytab3.getAuthTime());
                uGIFromSubject.reloginFromKeytab();
                Assert.assertSame(checkTicketAndKeytab2, TestUGILoginFromKeytab.checkTicketAndKeytab(uGIFromSubject, kerberosPrincipal2, false));
                Assert.assertSame(checkTicketAndKeytab3, TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser, kerberosPrincipal, true));
                return null;
            }
        });
    }

    @Test
    public void testReloginForLoginFromSubject() throws Exception {
        final KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("user1");
        File file = new File(this.workDir, "user1.keytab");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        final KerberosPrincipal kerberosPrincipal2 = new KerberosPrincipal("user2");
        final File file2 = new File(this.workDir, "user2.keytab");
        this.kdc.createPrincipal(file2, new String[]{kerberosPrincipal2.getName()});
        UserGroupInformation.loginUserFromKeytab(kerberosPrincipal.getName(), file.getPath());
        final UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        Assert.assertNotNull(getUser(loginUser.getSubject()).getLogin());
        loginUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws IOException {
                KerberosTicket checkTicketAndKeytab = TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser, kerberosPrincipal, true);
                Subject subject = UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal2.getName(), file2.getPath()).getSubject();
                TestUGILoginFromKeytab.this.removeUser(subject);
                UserGroupInformation.loginUserFromSubject(subject);
                Assert.assertNull(TestUGILoginFromKeytab.this.getUser(subject).getLogin());
                UserGroupInformation loginUser2 = UserGroupInformation.getLoginUser();
                KerberosTicket checkTicketAndKeytab2 = TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser2, kerberosPrincipal2, false);
                loginUser2.reloginFromKeytab();
                Assert.assertSame(checkTicketAndKeytab2, TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser2, kerberosPrincipal2, false));
                Assert.assertSame(checkTicketAndKeytab, TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser, kerberosPrincipal, true));
                loginUser.reloginFromKeytab();
                Assert.assertNotSame(checkTicketAndKeytab, TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser, kerberosPrincipal, true));
                Assert.assertSame(checkTicketAndKeytab2, TestUGILoginFromKeytab.checkTicketAndKeytab(loginUser2, kerberosPrincipal2, false));
                return null;
            }
        });
    }

    @Test
    public void testReloginAfterFailedRelogin() throws Exception {
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("user1");
        File file = new File(this.workDir, "user1.keytab");
        File file2 = new File(file + ".backup");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        UserGroupInformation.loginUserFromKeytab(kerberosPrincipal.getName(), file.getPath());
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        checkTicketAndKeytab(loginUser, kerberosPrincipal, true);
        Assert.assertTrue(file.renameTo(file2));
        try {
            loginUser.reloginFromKeytab();
            Assert.fail("relogin should fail");
        } catch (KerberosAuthException e) {
        }
        Assert.assertTrue(loginUser.isFromKeytab());
        Assert.assertNull(getTicket(loginUser));
        Assert.assertTrue(file2.renameTo(file));
        loginUser.reloginFromKeytab();
        checkTicketAndKeytab(loginUser, kerberosPrincipal, true);
    }

    @Test(timeout = 180000)
    public void testConcurrentRelogin() throws Exception {
        final CyclicBarrier cyclicBarrier = new CyclicBarrier(2);
        final CountDownLatch countDownLatch = new CountDownLatch(1);
        Assert.assertTrue(UserGroupInformation.isSecurityEnabled());
        final KerberosPrincipal kerberosPrincipal = new KerberosPrincipal("testUser");
        File file = new File(this.workDir, "user1.keytab");
        this.kdc.createPrincipal(file, new String[]{kerberosPrincipal.getName()});
        final UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal.getName(), file.getPath());
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, loginUserFromKeytabAndReturnUGI.getAuthenticationMethod());
        Assert.assertTrue(loginUserFromKeytabAndReturnUGI.isFromKeytab());
        final UserGroupInformation uGIFromSubject = UserGroupInformation.getUGIFromSubject(loginUserFromKeytabAndReturnUGI.getSubject());
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, uGIFromSubject.getAuthenticationMethod());
        Assert.assertTrue(uGIFromSubject.isFromKeytab());
        User user = getUser(loginUserFromKeytabAndReturnUGI.getSubject());
        LoginContext loginContext = (LoginContext) Mockito.spy(user.getLogin());
        user.setLogin(loginContext);
        ((LoginContext) Mockito.doAnswer(new Answer<Void>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.3
            /* renamed from: answer, reason: merged with bridge method [inline-methods] */
            public Void m1219answer(InvocationOnMock invocationOnMock) throws Throwable {
                invocationOnMock.callRealMethod();
                countDownLatch.countDown();
                cyclicBarrier.await();
                return null;
            }
        }).when(loginContext)).logout();
        Future submit = this.executor.submit(new Callable<Void>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                Thread.currentThread().setName("relogin");
                loginUserFromKeytabAndReturnUGI.reloginFromKeytab();
                return null;
            }
        });
        Assert.assertTrue("first relogin didn't block", countDownLatch.await(2L, TimeUnit.SECONDS));
        Assert.assertTrue(uGIFromSubject.isFromKeytab());
        ((LoginContext) Mockito.doNothing().when(loginContext)).logout();
        ((LoginContext) Mockito.doNothing().when(loginContext)).login();
        Future submit2 = this.executor.submit(new Callable<UserGroupInformation>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public UserGroupInformation call() throws Exception {
                Thread.currentThread().setName("clonedRelogin");
                uGIFromSubject.reloginFromKeytab();
                return uGIFromSubject;
            }
        });
        try {
            submit2.get(2L, TimeUnit.SECONDS);
            Assert.fail("second relogin didn't block!");
        } catch (TimeoutException e) {
        }
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                Assert.assertEquals(kerberosPrincipal.getName(), currentUser.getUserName());
                Assert.assertTrue(currentUser.isFromKeytab());
                return null;
            }
        });
        uGIFromSubject.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestUGILoginFromKeytab.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                Assert.assertEquals(kerberosPrincipal.getName(), currentUser.getUserName());
                Assert.assertTrue(currentUser.isFromKeytab());
                return null;
            }
        });
        Assert.assertFalse(submit2.isDone());
        cyclicBarrier.await();
        submit.get();
        submit2.get();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public User getUser(Subject subject) {
        Iterator it = subject.getPrincipals(User.class).iterator();
        if (it.hasNext()) {
            return (User) it.next();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeUser(Subject subject) {
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof User) {
                it.remove();
            }
        }
    }
}
