package com.datastax.driver.dse.auth;

import com.datastax.driver.core.AuthProvider;
import com.datastax.driver.core.BatchStatement;
import com.datastax.driver.core.CCMBridge;
import com.datastax.driver.core.CCMConfig;
import com.datastax.driver.core.CreateCCM;
import com.datastax.driver.core.Row;
import com.datastax.driver.core.SimpleStatement;
import com.datastax.driver.core.Statement;
import com.datastax.driver.core.TestUtils;
import com.datastax.driver.core.exceptions.AuthenticationException;
import com.datastax.driver.core.exceptions.UnauthorizedException;
import com.datastax.driver.core.utils.DseVersion;
import com.datastax.driver.dse.CCMDseTestsSupport;
import com.datastax.driver.dse.DseCluster;
import java.io.File;
import org.assertj.core.api.Assertions;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@CreateCCM(CreateCCM.TestMode.PER_METHOD)
@DseVersion("5.1.0")
@CCMConfig(ccmProvider = "configureCCM")
/* loaded from: input_file:com/datastax/driver/dse/auth/DseProxyAuthenticationTest.class */
public class DseProxyAuthenticationTest extends CCMDseTestsSupport {
    private static final String realm = "DATASTAX.COM";
    private static final String address = TestUtils.IP_PREFIX + "1";
    private final EmbeddedADS adsServer = EmbeddedADS.builder().withKerberos().withRealm(realm).withAddress(address).build();
    private final String dsePrincipal = "dse/" + this.adsServer.getHostname() + "@" + realm;
    private final String bobPrincipal = "bob@DATASTAX.COM";
    private final String charliePrincipal = "charlie@DATASTAX.COM";
    private File dseKeytab;
    private File bobKeytab;
    private File charlieKeytab;

    @BeforeClass(groups = {"long"})
    public void setupKDC() throws Exception {
        if (this.adsServer.isStarted()) {
            return;
        }
        this.adsServer.start();
        this.dseKeytab = this.adsServer.addUserAndCreateKeytab("dse", "dse", this.dsePrincipal);
        this.bobKeytab = this.adsServer.addUserAndCreateKeytab("bob", "bob", "bob@DATASTAX.COM");
        this.charlieKeytab = this.adsServer.addUserAndCreateKeytab("charlie", "charlie", "charlie@DATASTAX.COM");
    }

    @AfterClass(groups = {"long"}, alwaysRun = true)
    public void teardownKDC() throws Exception {
        this.adsServer.stop();
    }

    public CCMBridge.Builder configureCCM() {
        return CCMBridge.builder().withCassandraConfiguration("authorizer", "com.datastax.bdp.cassandra.auth.DseAuthorizer").withCassandraConfiguration("authenticator", "com.datastax.bdp.cassandra.auth.DseAuthenticator").withDSEConfiguration("authentication_options:\n  enabled: true\n  default_scheme: kerberos\n  other_schemes:\n    - internal").withDSEConfiguration("authorization_options.enabled", true).withDSEConfiguration("kerberos_options.keytab", this.dseKeytab.getAbsolutePath()).withDSEConfiguration("kerberos_options.service_principal", "dse/_HOST@DATASTAX.COM").withDSEConfiguration("kerberos_options.qop", "auth").withJvmArgs("-Dcassandra.superuser_setup_delay_ms=0", "-Djava.security.krb5.conf=" + this.adsServer.getKrb5Conf().getAbsolutePath());
    }

    @Override // com.datastax.driver.dse.CCMDseTestsSupport, com.datastax.driver.core.CCMTestsSupport
    /* renamed from: createClusterBuilder */
    public DseCluster.Builder mo16createClusterBuilder() {
        return super.mo16createClusterBuilder().withAuthProvider(new DsePlainTextAuthProvider("cassandra", "cassandra"));
    }

    @Override // com.datastax.driver.core.CCMTestsSupport
    public void onTestContextInitialized() {
        execute("CREATE ROLE IF NOT EXISTS alice WITH PASSWORD = 'alice' AND LOGIN = FALSE", "CREATE ROLE IF NOT EXISTS ben WITH PASSWORD = 'ben' AND LOGIN = TRUE", "CREATE ROLE IF NOT EXISTS 'bob@DATASTAX.COM' WITH LOGIN = TRUE", "CREATE ROLE IF NOT EXISTS 'charlie@DATASTAX.COM' WITH PASSWORD = 'charlie' AND LOGIN = TRUE", "CREATE ROLE IF NOT EXISTS steve WITH PASSWORD = 'steve' AND LOGIN = TRUE", "CREATE KEYSPACE IF NOT EXISTS aliceks WITH REPLICATION = {'class':'SimpleStrategy', 'replication_factor':'1'}", "CREATE TABLE IF NOT EXISTS aliceks.alicetable (key text PRIMARY KEY, value text)", "INSERT INTO aliceks.alicetable (key, value) VALUES ('hello', 'world')", "GRANT ALL ON KEYSPACE aliceks TO alice", "GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'ben'", "GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'bob@DATASTAX.COM'", "GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'steve'", "GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES TO 'charlie@DATASTAX.COM'", "GRANT PROXY.LOGIN ON ROLE 'alice' TO 'ben'", "GRANT PROXY.LOGIN ON ROLE 'alice' TO 'bob@DATASTAX.COM'", "GRANT PROXY.EXECUTE ON ROLE 'alice' TO 'steve'", "GRANT PROXY.EXECUTE ON ROLE 'alice' TO 'charlie@DATASTAX.COM'");
    }

    @Test(groups = {"long"})
    public void should_allow_plain_text_authorized_user_to_login_as() throws Exception {
        Assertions.assertThat(connectAndQuery(new DsePlainTextAuthProvider("ben", "ben", "alice"), null)).isNotNull();
    }

    @Test(groups = {"long"})
    public void should_allow_kerberos_authorized_user_to_login_as() throws Exception {
        Assertions.assertThat(connectAndQuery(DseGSSAPIAuthProvider.builder().withLoginConfiguration(KerberosUtils.keytabClient(this.bobKeytab, "bob@DATASTAX.COM")).withAuthorizationId("alice").build(), null)).isNotNull();
    }

    @Test(groups = {"long"}, expectedExceptions = {AuthenticationException.class})
    public void should_not_allow_plain_text_unauthorized_user_to_login_as() throws Exception {
        connectAndQuery(new DsePlainTextAuthProvider("steve", "steve", "alice"), null);
    }

    @Test(groups = {"long"}, expectedExceptions = {AuthenticationException.class})
    public void should_not_allow_kerberos_unauthorized_user_to_login_as() throws Exception {
        connectAndQuery(DseGSSAPIAuthProvider.builder().withLoginConfiguration(KerberosUtils.keytabClient(this.charlieKeytab, "charlie@DATASTAX.COM")).withAuthorizationId("alice").build(), null);
    }

    @Test(groups = {"long"})
    public void should_allow_plain_text_authorized_user_to_execute_as() throws Exception {
        Assertions.assertThat(connectAndQuery(new DsePlainTextAuthProvider("steve", "steve"), "alice")).isNotNull();
    }

    @Test(groups = {"long"})
    public void should_allow_plain_text_authorized_user_to_execute_batch_as() throws Exception {
        connectAndBatchQuery(new DsePlainTextAuthProvider("steve", "steve"), "alice");
    }

    @Test(groups = {"long"})
    public void should_allow_kerberos_authorized_user_to_execute_as() throws Exception {
        Assertions.assertThat(connectAndQuery(DseGSSAPIAuthProvider.builder().withLoginConfiguration(KerberosUtils.keytabClient(this.charlieKeytab, "charlie@DATASTAX.COM")).build(), "alice")).isNotNull();
    }

    @Test(groups = {"long"})
    public void should_not_allow_plain_text_unauthorized_user_to_execute_as() throws Exception {
        try {
            connectAndQuery(new DsePlainTextAuthProvider("ben", "ben"), "alice");
            Assertions.fail("Should have thrown an exception");
        } catch (UnauthorizedException e) {
            verifyException(e, "ben");
        }
    }

    @Test(groups = {"long"})
    public void should_not_allow_plain_text_unauthorized_user_to_execute_batch_as() throws Exception {
        try {
            connectAndBatchQuery(new DsePlainTextAuthProvider("ben", "ben"), "alice");
            Assertions.fail("Should have thrown an exception");
        } catch (UnauthorizedException e) {
            verifyException(e, "ben");
        }
    }

    @Test(groups = {"long"})
    public void should_not_allow_kerberos_unauthorized_user_to_execute_as() throws Exception {
        try {
            connectAndQuery(DseGSSAPIAuthProvider.builder().withLoginConfiguration(KerberosUtils.keytabClient(this.bobKeytab, "bob@DATASTAX.COM")).build(), "alice");
            Assertions.fail("Should have thrown an exception");
        } catch (UnauthorizedException e) {
            verifyException(e, "bob@DATASTAX.COM");
        }
    }

    private Row connectAndQuery(AuthProvider authProvider, String str) {
        DseCluster build = mo16createClusterBuilder().addContactPointsWithPorts(getContactPointsWithPorts()).withAuthProvider(authProvider).build();
        try {
            Statement simpleStatement = new SimpleStatement("select * from aliceks.alicetable");
            if (str != null) {
                simpleStatement = simpleStatement.executingAs(str);
            }
            Row one = build.connect().execute(simpleStatement).one();
            build.close();
            return one;
        } catch (Throwable th) {
            build.close();
            throw th;
        }
    }

    private void connectAndBatchQuery(AuthProvider authProvider, String str) {
        DseCluster build = mo16createClusterBuilder().addContactPointsWithPorts(getContactPointsWithPorts()).withAuthProvider(authProvider).build();
        try {
            BatchStatement batchStatement = new BatchStatement();
            batchStatement.add(new SimpleStatement("delete from aliceks.alicetable where key = 'doesnotexist'"));
            if (str != null) {
                batchStatement.executingAs(str);
            }
            build.connect().execute(batchStatement).one();
            build.close();
        } catch (Throwable th) {
            build.close();
            throw th;
        }
    }

    private void verifyException(UnauthorizedException unauthorizedException, String str) {
        Assertions.assertThat(unauthorizedException.getMessage()).isEqualTo(String.format("Either '%s' does not have permission to execute queries as 'alice' or that role does not exist. Run 'GRANT PROXY.EXECUTE ON ROLE 'alice' TO '%s' as an administrator if you wish to allow this.", str, str));
    }
}
