package co.cask.cdap.internal.app.services;

import co.cask.cdap.api.security.store.SecureStore;
import co.cask.cdap.api.security.store.SecureStoreManager;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.conf.SConfiguration;
import co.cask.cdap.common.discovery.RandomEndpointStrategy;
import co.cask.cdap.common.namespace.NamespaceAdmin;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.common.utils.Tasks;
import co.cask.cdap.internal.AppFabricTestHelper;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.SecureKeyId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.authorization.AuthorizerInstantiator;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Charsets;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import com.google.inject.AbstractModule;
import com.google.inject.Injector;
import java.io.File;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:co/cask/cdap/internal/app/services/DefaultSecureStoreServiceTest.class */
public class DefaultSecureStoreServiceTest {
    private static final String KEY1 = "key1";
    private static final String DESCRIPTION1 = "This is the first key";
    private static final String VALUE1 = "caskisgreat";
    private static SecureStore secureStore;
    private static SecureStoreManager secureStoreManager;
    private static AppFabricServer appFabricServer;
    private static Authorizer authorizer;
    private static DiscoveryServiceClient discoveryServiceClient;
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);

    @ClassRule
    public static final TemporaryFolder TEMPORARY_FOLDER = new TemporaryFolder();

    @BeforeClass
    public static void setup() throws Exception {
        SConfiguration create = SConfiguration.create();
        create.set("security.store.file.password", "secret");
        final Injector injector = AppFabricTestHelper.getInjector(createCConf(), create, new AbstractModule() { // from class: co.cask.cdap.internal.app.services.DefaultSecureStoreServiceTest.1
            protected void configure() {
            }
        });
        discoveryServiceClient = (DiscoveryServiceClient) injector.getInstance(DiscoveryServiceClient.class);
        appFabricServer = (AppFabricServer) injector.getInstance(AppFabricServer.class);
        appFabricServer.startAndWait();
        waitForService("dataset.service");
        secureStore = (SecureStore) injector.getInstance(SecureStore.class);
        secureStoreManager = (SecureStoreManager) injector.getInstance(SecureStoreManager.class);
        authorizer = ((AuthorizerInstantiator) injector.getInstance(AuthorizerInstantiator.class)).get();
        authorizer.grant(NamespaceId.DEFAULT, ALICE, Collections.singleton(Action.READ));
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.internal.app.services.DefaultSecureStoreServiceTest.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(((NamespaceAdmin) injector.getInstance(NamespaceAdmin.class)).exists(NamespaceId.DEFAULT));
            }
        }, 5L, TimeUnit.SECONDS);
        authorizer.revoke(NamespaceId.DEFAULT, ALICE, Collections.singleton(Action.READ));
    }

    private static void waitForService(String str) {
        Preconditions.checkNotNull(new RandomEndpointStrategy(discoveryServiceClient.discover(str)).pick(5L, TimeUnit.SECONDS), "%s service is not up after 5 seconds", new Object[]{str});
    }

    @AfterClass
    public static void cleanup() {
        appFabricServer.stopAndWait();
    }

    private static CConfiguration createCConf() throws Exception {
        CConfiguration create = CConfiguration.create();
        create.set("local.data.dir", TEMPORARY_FOLDER.newFolder().getAbsolutePath());
        create.setBoolean("security.enabled", true);
        create.setBoolean("security.authorization.enabled", true);
        create.setBoolean("kerberos.auth.enabled", false);
        create.setInt("security.authorization.cache.max.entries", 0);
        create.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(TEMPORARY_FOLDER.newFolder()), InMemoryAuthorizer.class, new File[0]).toURI().getPath());
        create.set("security.store.provider", "file");
        return create;
    }

    @Test
    public void testSecureStoreAccess() throws Exception {
        final SecureKeyId secureKey = NamespaceId.DEFAULT.secureKey(KEY1);
        SecurityRequestContext.setUserId(ALICE.getName());
        try {
            secureStoreManager.putSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.emptyMap());
            Assert.fail("Alice should not be able to store a key since she does not have WRITE privileges on the namespace");
        } catch (UnauthorizedException e) {
        }
        grantAndAssertSuccess(NamespaceId.DEFAULT, ALICE, EnumSet.of(Action.WRITE));
        secureStoreManager.putSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1, VALUE1, DESCRIPTION1, Collections.emptyMap());
        Map listSecureData = secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace());
        Assert.assertEquals(1L, listSecureData.size());
        Assert.assertTrue(listSecureData.containsKey(KEY1));
        Assert.assertEquals(DESCRIPTION1, listSecureData.get(KEY1));
        revokeAndAssertSuccess(secureKey, ALICE, EnumSet.allOf(Action.class));
        Assert.assertEquals(1L, secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace()).size());
        SecurityRequestContext.setUserId(BOB.getName());
        grantAndAssertSuccess(NamespaceId.DEFAULT, BOB, EnumSet.of(Action.READ));
        grantAndAssertSuccess(secureKey, BOB, EnumSet.of(Action.READ));
        Assert.assertEquals(VALUE1, new String(secureStore.getSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1).get(), Charsets.UTF_8));
        Assert.assertEquals(1L, secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace()).size());
        try {
            secureStoreManager.deleteSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1);
            Assert.fail("Bob should not be able to delete a key since he does not have ADMIN privileges on the key");
        } catch (UnauthorizedException e2) {
        }
        grantAndAssertSuccess(secureKey, BOB, ImmutableSet.of(Action.ADMIN));
        secureStoreManager.deleteSecureData(NamespaceId.DEFAULT.getNamespace(), KEY1);
        Assert.assertEquals(0L, secureStore.listSecureData(NamespaceId.DEFAULT.getNamespace()).size());
        Predicate<Privilege> predicate = new Predicate<Privilege>() { // from class: co.cask.cdap.internal.app.services.DefaultSecureStoreServiceTest.3
            public boolean apply(Privilege privilege) {
                return privilege.getEntity().equals(secureKey);
            }
        };
        Assert.assertTrue(Sets.filter(authorizer.listPrivileges(ALICE), predicate).isEmpty());
        Assert.assertTrue(Sets.filter(authorizer.listPrivileges(BOB), predicate).isEmpty());
    }

    private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        Set listPrivileges = authorizer.listPrivileges(principal);
        authorizer.grant(entityId, principal, set);
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            builder.add(new Privilege(entityId, it.next()));
        }
        Assert.assertEquals(Sets.union(listPrivileges, builder.build()), authorizer.listPrivileges(principal));
    }

    private void revokeAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        Set listPrivileges = authorizer.listPrivileges(principal);
        authorizer.revoke(entityId, principal, set);
        HashSet hashSet = new HashSet();
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new Privilege(entityId, it.next()));
        }
        Assert.assertEquals(Sets.difference(listPrivileges, hashSet), authorizer.listPrivileges(principal));
    }
}
