package co.cask.cdap.security;

import co.cask.cdap.AllProgramsApp;
import co.cask.cdap.ConfigTestApp;
import co.cask.cdap.common.namespace.NamespaceAdmin;
import co.cask.cdap.common.utils.Tasks;
import co.cask.cdap.gateway.handlers.InMemoryAuthorizer;
import co.cask.cdap.internal.test.AppJarHelper;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.artifact.AppRequest;
import co.cask.cdap.proto.artifact.ArtifactSummary;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.Ids;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.cdap.test.ApplicationManager;
import co.cask.cdap.test.ArtifactManager;
import co.cask.cdap.test.ServiceManager;
import co.cask.cdap.test.SlowTests;
import co.cask.cdap.test.TestBase;
import co.cask.cdap.test.TestConfiguration;
import co.cask.cdap.test.app.AppWithServices;
import co.cask.cdap.test.app.DummyApp;
import co.cask.cdap.test.artifacts.plugins.ToStringPlugin;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.File;
import java.io.IOException;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.ExternalResource;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.Description;
import org.junit.runners.model.Statement;

/* loaded from: input_file:co/cask/cdap/security/AuthorizationTest.class */
public class AuthorizationTest extends TestBase {
    private static InstanceId instance;
    private static final String OLD_USER = SecurityRequestContext.getUserId();
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);
    private static final NamespaceId AUTH_NAMESPACE = new NamespaceId("authorization");
    private static final NamespaceMeta AUTH_NAMESPACE_META = new NamespaceMeta.Builder().setName(AUTH_NAMESPACE.getNamespace()).build();

    @ClassRule
    public static final AuthTestConf AUTH_TEST_CONF = new AuthTestConf();

    /* loaded from: input_file:co/cask/cdap/security/AuthorizationTest$AuthTestConf.class */
    private static final class AuthTestConf extends ExternalResource {
        private final TemporaryFolder tmpFolder;
        private TestConfiguration testConf;

        private AuthTestConf() {
            this.tmpFolder = new TemporaryFolder();
        }

        public Statement apply(final Statement statement, final Description description) {
            return this.tmpFolder.apply(new Statement() { // from class: co.cask.cdap.security.AuthorizationTest.AuthTestConf.1
                public void evaluate() throws Throwable {
                    AuthTestConf.this.testConf = new TestConfiguration(AuthTestConf.getAuthConfigs(AuthTestConf.this.tmpFolder.newFolder()));
                    AuthTestConf.this.testConf.apply(statement, description).evaluate();
                }
            }, description);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static String[] getAuthConfigs(File file) throws IOException {
            return new String[]{"security.enabled", AppWithServices.VALUE, "security.authorization.enabled", AppWithServices.VALUE, "security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(file), InMemoryAuthorizer.class, new File[0]).toURI().getPath()};
        }
    }

    @BeforeClass
    public static void setup() {
        instance = new InstanceId(getConfiguration().get("instance.name"));
        SecurityRequestContext.setUserId(ALICE.getName());
    }

    @Before
    public void setupTest() throws Exception {
        Assert.assertEquals(ImmutableSet.of(), getAuthorizer().listPrivileges(ALICE));
    }

    @Test
    public void testNamespaces() throws Exception {
        NamespaceAdmin namespaceAdmin = getNamespaceAdmin();
        Authorizer authorizer = getAuthorizer();
        try {
            namespaceAdmin.create(AUTH_NAMESPACE_META);
            Assert.fail("Namespace create should have failed because alice is not authorized on " + instance);
        } catch (UnauthorizedException e) {
        }
        authorizer.grant(instance, ALICE, ImmutableSet.of(Action.ADMIN));
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        namespaceAdmin.create(AUTH_NAMESPACE_META);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL)), authorizer.listPrivileges(ALICE));
        namespaceAdmin.list();
        namespaceAdmin.get(AUTH_NAMESPACE.toId());
        authorizer.revoke(AUTH_NAMESPACE);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        try {
            namespaceAdmin.deleteDatasets(AUTH_NAMESPACE.toId());
            Assert.fail("Namespace delete datasets should have failed because alice's privileges on the namespace have been revoked");
        } catch (UnauthorizedException e2) {
        }
        authorizer.grant(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN));
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        namespaceAdmin.deleteDatasets(AUTH_NAMESPACE.toId());
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        namespaceAdmin.updateProperties(AUTH_NAMESPACE.toId(), new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build());
        namespaceAdmin.delete(AUTH_NAMESPACE.toId());
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        authorizer.revoke(instance);
        Assert.assertEquals(ImmutableSet.of(), authorizer.listPrivileges(ALICE));
    }

    @Test
    @Category({SlowTests.class})
    public void testApps() throws Exception {
        try {
            deployApplication(NamespaceId.DEFAULT.toId(), DummyApp.class, new File[0]);
            Assert.fail("App deployment should fail because alice does not have WRITE access on the default namespace");
        } catch (RuntimeException e) {
            Assert.assertTrue(e.getCause() instanceof UnauthorizedException);
        }
        Authorizer authorizer = getAuthorizer();
        authorizer.grant(instance, ALICE, ImmutableSet.of(Action.ADMIN));
        getNamespaceAdmin().create(AUTH_NAMESPACE_META);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL)), authorizer.listPrivileges(ALICE));
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), DummyApp.class, new File[0]);
        ApplicationId app = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
        ArtifactSummary artifact = deployApplication.getInfo().getArtifact();
        ArtifactId artifact2 = Ids.namespace(app.getNamespace()).artifact(artifact.getName(), artifact.getVersion());
        ProgramId service = app.service("Greeting");
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(app, Action.ALL), new Privilege(artifact2, Action.ALL), new Privilege(service, Action.ALL)), authorizer.listPrivileges(ALICE));
        Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty());
        String version = artifact.getVersion();
        deployApplication.update(new AppRequest(artifact));
        SecurityRequestContext.setUserId(BOB.getName());
        try {
            deployApplication.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), version)));
            Assert.fail("App update should have failed because Alice does not have admin privileges on the app.");
        } catch (UnauthorizedException e2) {
        }
        authorizer.grant(app, BOB, ImmutableSet.of(Action.READ, Action.WRITE));
        try {
            deployApplication.delete();
        } catch (UnauthorizedException e3) {
        }
        authorizer.grant(app, BOB, ImmutableSet.of(Action.ADMIN));
        Assert.assertEquals(ImmutableSet.of(new Privilege(app, Action.READ), new Privilege(app, Action.WRITE), new Privilege(app, Action.ADMIN)), authorizer.listPrivileges(BOB));
        deployApplication.delete();
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifact2, Action.ALL)), authorizer.listPrivileges(ALICE));
        Assert.assertTrue("Bob should not have any privileges because all privileges on the app have been revoked since the app got deleted", authorizer.listPrivileges(BOB).isEmpty());
        SecurityRequestContext.setUserId(ALICE.getName());
        ArtifactSummary artifact3 = deployApplication(AUTH_NAMESPACE.toId(), DummyApp.class, new File[0]).getInfo().getArtifact();
        ArtifactId artifact4 = AUTH_NAMESPACE.artifact(artifact3.getName(), artifact3.getVersion());
        ArtifactSummary artifact5 = deployApplication(AUTH_NAMESPACE.toId(), AllProgramsApp.class, new File[0]).getInfo().getArtifact();
        ArtifactId artifact6 = AUTH_NAMESPACE.artifact(artifact5.getName(), artifact5.getVersion());
        ApplicationId app2 = AUTH_NAMESPACE.app("App");
        ProgramId flow = app2.flow("NoOpFlow");
        ProgramId mr = app2.mr("NoOpMR");
        ProgramId mr2 = app2.mr("NoOpMR2");
        ProgramId spark = app2.spark("NoOpSpark");
        ProgramId workflow = app2.workflow("NoOpWorkflow");
        ProgramId service2 = app2.service("NoOpService");
        ProgramId worker = app2.worker("NoOpWorker");
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifact2, Action.ALL), new Privilege(artifact4, Action.ALL), new Privilege(artifact6, Action.ALL), new Privilege(app, Action.ALL), new Privilege[]{new Privilege(app2, Action.ALL), new Privilege(service, Action.ALL), new Privilege(flow, Action.ALL), new Privilege(mr, Action.ALL), new Privilege(mr2, Action.ALL), new Privilege(spark, Action.ALL), new Privilege(workflow, Action.ALL), new Privilege(service2, Action.ALL), new Privilege(worker, Action.ALL)}), authorizer.listPrivileges(ALICE));
        authorizer.revoke(app2);
        authorizer.revoke(flow);
        authorizer.revoke(mr);
        authorizer.revoke(mr2);
        authorizer.revoke(spark);
        authorizer.revoke(workflow);
        authorizer.revoke(service2);
        authorizer.revoke(worker);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifact2, Action.ALL), new Privilege(artifact4, Action.ALL), new Privilege(artifact6, Action.ALL), new Privilege(app, Action.ALL), new Privilege[]{new Privilege(service, Action.ALL)}), authorizer.listPrivileges(ALICE));
        try {
            deleteAllApplications(AUTH_NAMESPACE);
            Assert.fail("Deleting all applications in the namespace should have failed because alice does not have ADMIN privilege on the workflow app.");
        } catch (UnauthorizedException e4) {
        }
        authorizer.grant(app2, ALICE, ImmutableSet.of(Action.ADMIN));
        deleteAllApplications(AUTH_NAMESPACE);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifact2, Action.ALL), new Privilege(artifact4, Action.ALL), new Privilege(artifact6, Action.ALL)), authorizer.listPrivileges(ALICE));
        getNamespaceAdmin().delete(AUTH_NAMESPACE.toId());
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        authorizer.revoke(instance);
        Assert.assertEquals(ImmutableSet.of(), authorizer.listPrivileges(ALICE));
    }

    @Test
    public void testArtifacts() throws Exception {
        try {
            addAppArtifact(NamespaceId.DEFAULT.artifact("app-artifact", "1.1.1"), ConfigTestApp.class);
            Assert.fail("Should not be able to add an app artifact to the default namespace because alice does not have write privileges on the default namespace.");
        } catch (UnauthorizedException e) {
        }
        try {
            addAppArtifact(NamespaceId.DEFAULT.artifact("plugin-artifact", "1.2.3"), ToStringPlugin.class);
            Assert.fail("Should not be able to add a plugin artifact to the default namespace because alice does not have write privileges on the default namespace.");
        } catch (UnauthorizedException e2) {
        }
        Authorizer authorizer = getAuthorizer();
        authorizer.grant(instance, ALICE, ImmutableSet.of(Action.ADMIN));
        getNamespaceAdmin().create(AUTH_NAMESPACE_META);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL)), authorizer.listPrivileges(ALICE));
        ArtifactId artifactId = new ArtifactId(AUTH_NAMESPACE.getNamespace(), "app-artifact", "1.1.1");
        ArtifactManager addAppArtifact = addAppArtifact(artifactId, ConfigTestApp.class);
        ArtifactId artifactId2 = new ArtifactId(AUTH_NAMESPACE.getNamespace(), "plugin-artifact", "1.2.3");
        ArtifactManager addPluginArtifact = addPluginArtifact(artifactId2, artifactId, ToStringPlugin.class, new Class[0]);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifactId, Action.ALL), new Privilege(artifactId2, Action.ALL)), authorizer.listPrivileges(ALICE));
        SecurityRequestContext.setUserId(BOB.getName());
        try {
            addAppArtifact.writeProperties(ImmutableMap.of("authorized", "no"));
            Assert.fail("Writing properties to artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e3) {
        }
        try {
            addAppArtifact.delete();
            Assert.fail("Deleting artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e4) {
        }
        try {
            addPluginArtifact.writeProperties(ImmutableMap.of("authorized", "no"));
            Assert.fail("Writing properties to artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e5) {
        }
        try {
            addPluginArtifact.removeProperties();
            Assert.fail("Removing properties to artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e6) {
        }
        try {
            addPluginArtifact.delete();
            Assert.fail("Deleting artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e7) {
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        addAppArtifact.writeProperties(ImmutableMap.of("authorized", "yes"));
        addAppArtifact.removeProperties();
        addAppArtifact.delete();
        addPluginArtifact.delete();
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL)), authorizer.listPrivileges(ALICE));
        getNamespaceAdmin().delete(AUTH_NAMESPACE.toId());
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        authorizer.revoke(instance);
        Assert.assertEquals(ImmutableSet.of(), authorizer.listPrivileges(ALICE));
    }

    @Test
    public void testPrograms() throws Exception {
        Authorizer authorizer = getAuthorizer();
        authorizer.grant(instance, ALICE, ImmutableSet.of(Action.ADMIN));
        getNamespaceAdmin().create(AUTH_NAMESPACE_META);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL)), authorizer.listPrivileges(ALICE));
        final ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), DummyApp.class, new File[0]);
        ArtifactSummary artifact = deployApplication.getInfo().getArtifact();
        ArtifactId artifact2 = AUTH_NAMESPACE.artifact(artifact.getName(), artifact.getVersion());
        ApplicationId app = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
        final ProgramId service = app.service("Greeting");
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifact2, Action.ALL), new Privilege(app, Action.ALL), new Privilege(service, Action.ALL)), authorizer.listPrivileges(ALICE));
        deployApplication.startProgram(service.toId());
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(deployApplication.isRunning(service.toId()));
            }
        }, 5L, TimeUnit.SECONDS);
        ServiceManager serviceManager = deployApplication.getServiceManager(service.getProgram());
        serviceManager.setInstances(2);
        Assert.assertEquals(2L, serviceManager.getProvisionedInstances());
        ImmutableMap of = ImmutableMap.of("key", "value");
        serviceManager.setRuntimeArgs(of);
        deployApplication.stopProgram(service.toId());
        Tasks.waitFor(false, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(deployApplication.isRunning(service.toId()));
            }
        }, 5L, TimeUnit.SECONDS);
        SecurityRequestContext.setUserId(BOB.getName());
        try {
            deployApplication.startProgram(service.toId());
            Assert.fail("Bob should not be able to start the service because he does not have admin privileges on it.");
        } catch (RuntimeException e) {
            Assert.assertTrue(Throwables.getRootCause(e) instanceof UnauthorizedException);
        }
        try {
            serviceManager.setInstances(3);
            Assert.fail("Setting instances should have failed because bob does not have admin privileges on the service.");
        } catch (RuntimeException e2) {
            Assert.assertTrue(Throwables.getRootCause(e2) instanceof UnauthorizedException);
        }
        try {
            serviceManager.setRuntimeArgs(of);
            Assert.fail("Setting runtime arguments should have failed because bob does not have admin privileges on the service");
        } catch (UnauthorizedException e3) {
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        deployApplication.delete();
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ALL), new Privilege(artifact2, Action.ALL)), authorizer.listPrivileges(ALICE));
        getNamespaceAdmin().delete(AUTH_NAMESPACE.toId());
        authorizer.revoke(instance);
        Assert.assertEquals(ImmutableSet.of(), authorizer.listPrivileges(ALICE));
    }

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityRequestContext.setUserId(OLD_USER);
        finish();
    }
}
