package com.datastax.dse.driver.api.core.auth;

import com.datastax.dse.driver.api.core.config.DseDriverOption;
import com.datastax.oss.driver.api.core.AllNodesFailedException;
import com.datastax.oss.driver.api.core.CqlSession;
import com.datastax.oss.driver.api.core.auth.AuthenticationException;
import com.datastax.oss.driver.api.core.config.DefaultDriverOption;
import com.datastax.oss.driver.api.core.cql.SimpleStatement;
import com.datastax.oss.driver.api.core.servererrors.UnauthorizedException;
import com.datastax.oss.driver.api.testinfra.DseRequirement;
import com.datastax.oss.driver.api.testinfra.session.SessionUtils;
import com.datastax.oss.driver.internal.core.auth.PlainTextAuthProvider;
import org.assertj.core.api.Assertions;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

@DseRequirement(min = "5.1", description = "Required for DseAuthenticator with proxy")
/* loaded from: input_file:com/datastax/dse/driver/api/core/auth/DseProxyAuthenticationIT.class */
public class DseProxyAuthenticationIT {
    private static String bobPrincipal;
    private static String charliePrincipal;

    @ClassRule
    public static EmbeddedAdsRule ads = new EmbeddedAdsRule();

    @BeforeClass
    public static void addUsers() {
        bobPrincipal = ads.addUserAndCreateKeyTab("bob", "bob");
        charliePrincipal = ads.addUserAndCreateKeyTab("charlie", "charlie");
    }

    @Before
    public void setupRoles() {
        CqlSession newKeyTabSession = ads.newKeyTabSession();
        try {
            newKeyTabSession.execute("CREATE ROLE IF NOT EXISTS alice WITH PASSWORD = 'alice' AND LOGIN = FALSE");
            newKeyTabSession.execute("CREATE ROLE IF NOT EXISTS ben WITH PASSWORD = 'ben' AND LOGIN = TRUE");
            newKeyTabSession.execute("CREATE ROLE IF NOT EXISTS 'bob@DATASTAX.COM' WITH LOGIN = TRUE");
            newKeyTabSession.execute("CREATE ROLE IF NOT EXISTS 'charlie@DATASTAX.COM' WITH PASSWORD = 'charlie' AND LOGIN = TRUE");
            newKeyTabSession.execute("CREATE ROLE IF NOT EXISTS steve WITH PASSWORD = 'steve' AND LOGIN = TRUE");
            newKeyTabSession.execute("CREATE KEYSPACE IF NOT EXISTS aliceks WITH REPLICATION = {'class':'SimpleStrategy', 'replication_factor':'1'}");
            newKeyTabSession.execute("CREATE TABLE IF NOT EXISTS aliceks.alicetable (key text PRIMARY KEY, value text)");
            newKeyTabSession.execute("INSERT INTO aliceks.alicetable (key, value) VALUES ('hello', 'world')");
            newKeyTabSession.execute("GRANT ALL ON KEYSPACE aliceks TO alice");
            newKeyTabSession.execute("GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'ben'");
            newKeyTabSession.execute("GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'bob@DATASTAX.COM'");
            newKeyTabSession.execute("GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'steve'");
            newKeyTabSession.execute("GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'charlie@DATASTAX.COM'");
            newKeyTabSession.execute("GRANT PROXY.LOGIN ON ROLE 'alice' TO 'ben'");
            newKeyTabSession.execute("GRANT PROXY.LOGIN ON ROLE 'alice' TO 'bob@DATASTAX.COM'");
            newKeyTabSession.execute("GRANT PROXY.EXECUTE ON ROLE 'alice' TO 'steve'");
            newKeyTabSession.execute("GRANT PROXY.EXECUTE ON ROLE 'alice' TO 'charlie@DATASTAX.COM'");
            if (newKeyTabSession != null) {
                $closeResource(null, newKeyTabSession);
            }
        } catch (Throwable th) {
            if (newKeyTabSession != null) {
                $closeResource(null, newKeyTabSession);
            }
            throw th;
        }
    }

    @Test
    public void should_allow_plain_text_authorized_user_to_login_as() {
        CqlSession newSession = SessionUtils.newSession(ads.ccm, SessionUtils.configLoaderBuilder().withString(DseDriverOption.AUTH_PROVIDER_AUTHORIZATION_ID, "alice").withString(DefaultDriverOption.AUTH_PROVIDER_USER_NAME, "ben").withString(DefaultDriverOption.AUTH_PROVIDER_PASSWORD, "ben").withClass(DefaultDriverOption.AUTH_PROVIDER_CLASS, PlainTextAuthProvider.class).build());
        try {
            Assertions.assertThat(newSession.execute(SimpleStatement.builder("select * from aliceks.alicetable").build())).isNotNull();
            if (newSession != null) {
                $closeResource(null, newSession);
            }
        } catch (Throwable th) {
            if (newSession != null) {
                $closeResource(null, newSession);
            }
            throw th;
        }
    }

    @Test
    public void should_allow_plain_text_authorized_user_to_login_as_programmatically() {
        CqlSession cqlSession = (CqlSession) CqlSession.builder().addContactEndPoints(ads.ccm.getContactPoints()).withAuthCredentials("ben", "ben", "alice").build();
        try {
            cqlSession.execute("select * from system.local");
            if (cqlSession != null) {
                $closeResource(null, cqlSession);
            }
        } catch (Throwable th) {
            if (cqlSession != null) {
                $closeResource(null, cqlSession);
            }
            throw th;
        }
    }

    @Test
    public void should_allow_kerberos_authorized_user_to_login_as() {
        CqlSession newKeyTabSession = ads.newKeyTabSession(bobPrincipal, ads.getKeytabForPrincipal(bobPrincipal).getAbsolutePath(), "alice");
        try {
            Assertions.assertThat(newKeyTabSession.execute(SimpleStatement.builder("select * from aliceks.alicetable").build())).isNotNull();
            if (newKeyTabSession != null) {
                $closeResource(null, newKeyTabSession);
            }
        } catch (Throwable th) {
            if (newKeyTabSession != null) {
                $closeResource(null, newKeyTabSession);
            }
            throw th;
        }
    }

    @Test
    public void should_not_allow_plain_text_unauthorized_user_to_login_as() {
        try {
            CqlSession newSession = SessionUtils.newSession(ads.ccm, SessionUtils.configLoaderBuilder().withString(DseDriverOption.AUTH_PROVIDER_AUTHORIZATION_ID, "alice").withString(DefaultDriverOption.AUTH_PROVIDER_USER_NAME, "steve").withString(DefaultDriverOption.AUTH_PROVIDER_PASSWORD, "steve").withClass(DefaultDriverOption.AUTH_PROVIDER_CLASS, PlainTextAuthProvider.class).build());
            try {
                newSession.execute(SimpleStatement.builder("select * from aliceks.alicetable").build());
                Assertions.fail("Should have thrown AllNodesFailedException on login.");
                if (newSession != null) {
                    $closeResource(null, newSession);
                }
            } catch (Throwable th) {
                if (newSession != null) {
                    $closeResource(null, newSession);
                }
                throw th;
            }
        } catch (AllNodesFailedException e) {
            verifyException(e);
        }
    }

    @Test
    public void should_not_allow_kerberos_unauthorized_user_to_login_as() throws Exception {
        try {
            CqlSession newKeyTabSession = ads.newKeyTabSession(charliePrincipal, ads.getKeytabForPrincipal(charliePrincipal).getAbsolutePath(), "alice");
            try {
                newKeyTabSession.execute(SimpleStatement.builder("select * from aliceks.alicetable").build());
                Assertions.fail("Should have thrown AllNodesFailedException on login.");
                if (newKeyTabSession != null) {
                    $closeResource(null, newKeyTabSession);
                }
            } catch (Throwable th) {
                if (newKeyTabSession != null) {
                    $closeResource(null, newKeyTabSession);
                }
                throw th;
            }
        } catch (AllNodesFailedException e) {
            verifyException(e);
        }
    }

    @Test
    public void should_allow_plain_text_authorized_user_to_execute_as() {
        CqlSession newSession = SessionUtils.newSession(ads.ccm, SessionUtils.configLoaderBuilder().withString(DefaultDriverOption.AUTH_PROVIDER_USER_NAME, "steve").withString(DefaultDriverOption.AUTH_PROVIDER_PASSWORD, "steve").withClass(DefaultDriverOption.AUTH_PROVIDER_CLASS, PlainTextAuthProvider.class).build());
        try {
            Assertions.assertThat(newSession.execute(ProxyAuthentication.executeAs("alice", SimpleStatement.builder("select * from aliceks.alicetable").build()))).isNotNull();
            if (newSession != null) {
                $closeResource(null, newSession);
            }
        } catch (Throwable th) {
            if (newSession != null) {
                $closeResource(null, newSession);
            }
            throw th;
        }
    }

    @Test
    public void should_allow_kerberos_authorized_user_to_execute_as() {
        CqlSession newKeyTabSession = ads.newKeyTabSession(charliePrincipal, ads.getKeytabForPrincipal(charliePrincipal).getAbsolutePath());
        try {
            Assertions.assertThat(newKeyTabSession.execute(ProxyAuthentication.executeAs("alice", SimpleStatement.builder("select * from aliceks.alicetable").build()))).isNotNull();
            if (newKeyTabSession != null) {
                $closeResource(null, newKeyTabSession);
            }
        } catch (Throwable th) {
            if (newKeyTabSession != null) {
                $closeResource(null, newKeyTabSession);
            }
            throw th;
        }
    }

    @Test
    public void should_not_allow_plain_text_unauthorized_user_to_execute_as() {
        try {
            CqlSession newSession = SessionUtils.newSession(ads.ccm, SessionUtils.configLoaderBuilder().withString(DefaultDriverOption.AUTH_PROVIDER_USER_NAME, "ben").withString(DefaultDriverOption.AUTH_PROVIDER_PASSWORD, "ben").withClass(DefaultDriverOption.AUTH_PROVIDER_CLASS, PlainTextAuthProvider.class).build());
            try {
                newSession.execute(ProxyAuthentication.executeAs("alice", SimpleStatement.builder("select * from aliceks.alicetable").build()));
                Assertions.fail("Should have thrown UnauthorizedException on executeAs.");
                if (newSession != null) {
                    $closeResource(null, newSession);
                }
            } catch (Throwable th) {
                if (newSession != null) {
                    $closeResource(null, newSession);
                }
                throw th;
            }
        } catch (UnauthorizedException e) {
            verifyException(e, "ben");
        }
    }

    @Test
    public void should_not_allow_kerberos_unauthorized_user_to_execute_as() {
        try {
            CqlSession newKeyTabSession = ads.newKeyTabSession(bobPrincipal, ads.getKeytabForPrincipal(bobPrincipal).getAbsolutePath());
            try {
                newKeyTabSession.execute(ProxyAuthentication.executeAs("alice", SimpleStatement.builder("select * from aliceks.alicetable").build()));
                Assertions.fail("Should have thrown UnauthorizedException on executeAs.");
                if (newKeyTabSession != null) {
                    $closeResource(null, newKeyTabSession);
                }
            } catch (Throwable th) {
                if (newKeyTabSession != null) {
                    $closeResource(null, newKeyTabSession);
                }
                throw th;
            }
        } catch (UnauthorizedException e) {
            verifyException(e, "bob@DATASTAX.COM");
        }
    }

    private void verifyException(AllNodesFailedException allNodesFailedException) {
        Throwable th = (Throwable) allNodesFailedException.getErrors().values().iterator().next();
        Assertions.assertThat(th).isInstanceOf(AuthenticationException.class);
        Assertions.assertThat(th.getMessage()).contains(new CharSequence[]{"Authentication error on node /127.0.0.1:9042: server replied 'Failed to login. Please re-try.'"});
    }

    private void verifyException(UnauthorizedException unauthorizedException, String str) {
        Assertions.assertThat(unauthorizedException.getMessage()).contains(new CharSequence[]{String.format("Either '%s' does not have permission to execute queries as 'alice' or that role does not exist.", str)});
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
