package org.apache.hadoop.hdfs.server.namenode;

import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.UnresolvedLinkException;
import org.apache.hadoop.fs.permission.AclEntry;
import org.apache.hadoop.fs.permission.AclEntryType;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.DistributedFileSystem;
import org.apache.hadoop.hdfs.HdfsConfiguration;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.hdfs.protocol.HdfsConstants;
import org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdfs/server/namenode/TestAuthorizationProvider.class */
public class TestAuthorizationProvider {
    private MiniDFSCluster miniDFS;
    private static final short HDFS_PERMISSION = 511;
    private static final short PROVIDER_PERMISSION = 509;
    private static final Logger LOG = LoggerFactory.getLogger(TestAuthorizationProvider.class);
    private static final Set<String> CALLED = new HashSet();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hdfs/server/namenode/TestAuthorizationProvider$AssertHelper.class */
    public class AssertHelper {
        private boolean bypass;

        AssertHelper(boolean z) {
            this.bypass = true;
            this.bypass = z;
        }

        public void doAssert(boolean z) {
            if (this.bypass) {
                Assert.assertFalse(z);
            } else {
                Assert.assertTrue(z);
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hdfs/server/namenode/TestAuthorizationProvider$MyAuthorizationProvider.class */
    public static class MyAuthorizationProvider extends AuthorizationProvider {
        private AuthorizationProvider defaultProvider;

        public void start() {
            TestAuthorizationProvider.CALLED.add("start");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            if (this.defaultProvider == null) {
                this.defaultProvider = new DefaultAuthorizationProvider();
            }
            this.defaultProvider.start();
        }

        public void stop() {
            TestAuthorizationProvider.CALLED.add("stop");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            if (this.defaultProvider != null) {
                this.defaultProvider.stop();
            }
        }

        public void setSnaphottableDirs(Map<AuthorizationProvider.INodeAuthorizationInfo, Integer> map) {
            TestAuthorizationProvider.CALLED.add("setSnaphottableDirs");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.setSnaphottableDirs(map);
        }

        public void addSnapshottable(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
            TestAuthorizationProvider.CALLED.add("addSnapshottable");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.addSnapshottable(iNodeAuthorizationInfo);
        }

        public void removeSnapshottable(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
            TestAuthorizationProvider.CALLED.add("removeSnapshottable");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.removeSnapshottable(iNodeAuthorizationInfo);
        }

        public void createSnapshot(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) throws IOException {
            TestAuthorizationProvider.CALLED.add("createSnapshot");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.createSnapshot(iNodeAuthorizationInfo, i);
        }

        public void removeSnapshot(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) throws IOException {
            TestAuthorizationProvider.CALLED.add("removeSnapshot");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.removeSnapshot(iNodeAuthorizationInfo, i);
        }

        public void checkPermission(String str, Set<String> set, AuthorizationProvider.INodeAuthorizationInfo[] iNodeAuthorizationInfoArr, int i, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException, UnresolvedLinkException {
            TestAuthorizationProvider.CALLED.add("checkPermission");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.checkPermission(str, set, iNodeAuthorizationInfoArr, i, z, fsAction, fsAction2, fsAction3, fsAction4, z2);
        }

        private boolean useDefault(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
            return !iNodeAuthorizationInfo.getFullPathName().startsWith("/user/authz");
        }

        public void setUser(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, String str) {
            TestAuthorizationProvider.CALLED.add("setUser");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.setUser(iNodeAuthorizationInfo, str);
        }

        public String getUser(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
            TestAuthorizationProvider.CALLED.add("getUser");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            return useDefault(iNodeAuthorizationInfo) ? this.defaultProvider.getUser(iNodeAuthorizationInfo, i) : "foo";
        }

        public void setGroup(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, String str) {
            TestAuthorizationProvider.CALLED.add("setGroup");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.setGroup(iNodeAuthorizationInfo, str);
        }

        public String getGroup(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
            TestAuthorizationProvider.CALLED.add("getGroup");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            return useDefault(iNodeAuthorizationInfo) ? this.defaultProvider.getGroup(iNodeAuthorizationInfo, i) : "bar";
        }

        public void setPermission(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, FsPermission fsPermission) {
            TestAuthorizationProvider.CALLED.add("setPermission");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.setPermission(iNodeAuthorizationInfo, fsPermission);
        }

        public FsPermission getFsPermission(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
            TestAuthorizationProvider.CALLED.add("getFsPermission");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            return useDefault(iNodeAuthorizationInfo) ? this.defaultProvider.getFsPermission(iNodeAuthorizationInfo, i) : new FsPermission((short) 509);
        }

        public AclFeature getAclFeature(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
            TestAuthorizationProvider.CALLED.add("getAclFeature");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            return useDefault(iNodeAuthorizationInfo) ? this.defaultProvider.getAclFeature(iNodeAuthorizationInfo, i) : new AclFeature(AclEntryStatusFormat.toInt(ImmutableList.of(new AclEntry.Builder().setType(AclEntryType.GROUP).setPermission(FsAction.ALL).setName("xxx").build())));
        }

        public void removeAclFeature(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
            TestAuthorizationProvider.CALLED.add("removeAclFeature");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.removeAclFeature(iNodeAuthorizationInfo);
        }

        public void addAclFeature(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, AclFeature aclFeature) {
            TestAuthorizationProvider.CALLED.add("addAclFeature");
            TestAuthorizationProvider.CALLED.add("isClientOp=" + isClientOp());
            this.defaultProvider.addAclFeature(iNodeAuthorizationInfo, aclFeature);
        }
    }

    @Before
    public void setUp() throws IOException {
        AuthorizationProvider.set((AuthorizationProvider) null);
        CALLED.clear();
        HdfsConfiguration hdfsConfiguration = new HdfsConfiguration();
        hdfsConfiguration.set("dfs.namenode.authorization.provider.class", MyAuthorizationProvider.class.getName());
        hdfsConfiguration.setBoolean("dfs.namenode.acls.enabled", true);
        hdfsConfiguration.set("dfs.namenode.authorization.provider.bypass.users", " u2,, ,u3, ");
        EditLogFileOutputStream.setShouldSkipFsyncForTesting(true);
        this.miniDFS = new MiniDFSCluster.Builder(hdfsConfiguration).build();
    }

    @After
    public void cleanUp() throws IOException {
        CALLED.clear();
        if (this.miniDFS != null) {
            this.miniDFS.shutdown();
        }
        Assert.assertTrue(CALLED.contains("stop"));
        Assert.assertFalse(CALLED.contains("isClientOp=true"));
        Assert.assertTrue(CALLED.contains("isClientOp=false"));
        AuthorizationProvider.set((AuthorizationProvider) null);
    }

    @Test
    public void testDelegationToProvider() throws Exception {
        Assert.assertTrue(CALLED.contains("start"));
        Assert.assertTrue(CALLED.contains("setSnaphottableDirs"));
        Assert.assertFalse(CALLED.contains("isClientOp=true"));
        Assert.assertTrue(CALLED.contains("isClientOp=false"));
        DistributedFileSystem distributedFileSystem = FileSystem.get(this.miniDFS.getConfiguration(0));
        distributedFileSystem.mkdirs(new Path("/tmp"));
        distributedFileSystem.setPermission(new Path("/tmp"), new FsPermission((short) 511));
        UserGroupInformation.createUserForTesting("u1", new String[]{"g1"}).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestAuthorizationProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                FileSystem fileSystem = FileSystem.get(TestAuthorizationProvider.this.miniDFS.getConfiguration(0));
                TestAuthorizationProvider.CALLED.clear();
                fileSystem.mkdirs(new Path("/tmp/foo"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("checkPermission"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("isClientOp=true"));
                Assert.assertFalse(TestAuthorizationProvider.CALLED.contains("isClientOp=false"));
                TestAuthorizationProvider.CALLED.clear();
                fileSystem.listStatus(new Path("/tmp/foo"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("getUser"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("getGroup"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("getFsPermission"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("isClientOp=true"));
                Assert.assertFalse(TestAuthorizationProvider.CALLED.contains("isClientOp=false"));
                TestAuthorizationProvider.CALLED.clear();
                fileSystem.setPermission(new Path("/tmp/foo"), new FsPermission((short) 448));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("setPermission"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("isClientOp=true"));
                Assert.assertFalse(TestAuthorizationProvider.CALLED.contains("isClientOp=false"));
                TestAuthorizationProvider.CALLED.clear();
                fileSystem.getAclStatus(new Path("/tmp/foo"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("getAclFeature"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("isClientOp=true"));
                Assert.assertFalse(TestAuthorizationProvider.CALLED.contains("isClientOp=false"));
                TestAuthorizationProvider.CALLED.clear();
                fileSystem.modifyAclEntries(new Path("/tmp/foo"), Arrays.asList(new AclEntry.Builder().setName("u3").setType(AclEntryType.USER).setPermission(FsAction.ALL).build()));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("addAclFeature"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("isClientOp=true"));
                Assert.assertFalse(TestAuthorizationProvider.CALLED.contains("isClientOp=false"));
                TestAuthorizationProvider.CALLED.clear();
                fileSystem.removeAcl(new Path("/tmp/foo"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("removeAclFeature"));
                Assert.assertTrue(TestAuthorizationProvider.CALLED.contains("isClientOp=true"));
                Assert.assertFalse(TestAuthorizationProvider.CALLED.contains("isClientOp=false"));
                return null;
            }
        });
        CALLED.clear();
        distributedFileSystem.setOwner(new Path("/tmp/foo"), "u2", "g2");
        Assert.assertTrue(CALLED.contains("setUser"));
        Assert.assertTrue(CALLED.contains("setGroup"));
        Assert.assertTrue(CALLED.contains("isClientOp=true"));
        Assert.assertFalse(CALLED.contains("isClientOp=false"));
        CALLED.clear();
        distributedFileSystem.allowSnapshot(new Path("/tmp/foo"));
        Assert.assertTrue(CALLED.contains("addSnapshottable"));
        Assert.assertTrue(CALLED.contains("isClientOp=true"));
        Assert.assertFalse(CALLED.contains("isClientOp=false"));
        CALLED.clear();
        distributedFileSystem.createSnapshot(new Path("/tmp/foo"), "foo");
        Assert.assertTrue(CALLED.contains("createSnapshot"));
        Assert.assertTrue(CALLED.contains("isClientOp=true"));
        Assert.assertFalse(CALLED.contains("isClientOp=false"));
        CALLED.clear();
        distributedFileSystem.deleteSnapshot(new Path("/tmp/foo"), "foo");
        Assert.assertTrue(CALLED.contains("removeSnapshot"));
        Assert.assertTrue(CALLED.contains("isClientOp=true"));
        Assert.assertFalse(CALLED.contains("isClientOp=false"));
        CALLED.clear();
        distributedFileSystem.disallowSnapshot(new Path("/tmp/foo"));
        Assert.assertTrue(CALLED.contains("removeSnapshottable"));
        Assert.assertTrue(CALLED.contains("isClientOp=true"));
        Assert.assertFalse(CALLED.contains("isClientOp=false"));
    }

    private void testBypassProviderHelper(String[] strArr, final short s, boolean z) throws Exception {
        final AssertHelper assertHelper = new AssertHelper(z);
        Assert.assertTrue(CALLED.contains("start"));
        FileSystem fileSystem = FileSystem.get(this.miniDFS.getConfiguration(0));
        final Path path = new Path("/user");
        Path path2 = new Path("/user/authz");
        final Path path3 = new Path("/user/authz/child2");
        fileSystem.mkdirs(path);
        fileSystem.setPermission(path, new FsPermission((short) 511));
        fileSystem.mkdirs(path2);
        fileSystem.setPermission(path2, new FsPermission((short) 511));
        fileSystem.mkdirs(path3);
        fileSystem.setPermission(path3, new FsPermission((short) 511));
        for (String str : strArr) {
            UserGroupInformation.createUserForTesting(str, new String[]{"g1"}).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestAuthorizationProvider.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    FileSystem fileSystem2 = FileSystem.get(TestAuthorizationProvider.this.miniDFS.getConfiguration(0));
                    Assert.assertEquals(s, fileSystem2.getFileStatus(path3).getPermission().toShort());
                    assertHelper.doAssert(TestAuthorizationProvider.CALLED.contains("checkPermission"));
                    TestAuthorizationProvider.CALLED.clear();
                    Assert.assertEquals(s, fileSystem2.listStatus(path)[0].getPermission().toShort());
                    assertHelper.doAssert(TestAuthorizationProvider.CALLED.contains("checkPermission"));
                    TestAuthorizationProvider.CALLED.clear();
                    fileSystem2.getAclStatus(path3);
                    assertHelper.doAssert(TestAuthorizationProvider.CALLED.contains("checkPermission"));
                    return null;
                }
            });
        }
    }

    @Test
    public void testAuthzDelegationToProvider() throws Exception {
        LOG.info("Test not bypassing provider");
        testBypassProviderHelper(new String[]{"u1"}, (short) 509, false);
    }

    @Test
    public void testAuthzBypassingProvider() throws Exception {
        LOG.info("Test bypassing provider");
        testBypassProviderHelper(new String[]{"u2", "u3"}, (short) 511, true);
    }

    @Test
    public void testCustomProvider() throws Exception {
        FileSystem fileSystem = FileSystem.get(this.miniDFS.getConfiguration(0));
        fileSystem.mkdirs(new Path("/user/xxx"));
        FileStatus fileStatus = fileSystem.getFileStatus(new Path("/user/xxx"));
        Assert.assertEquals(System.getProperty("user.name"), fileStatus.getOwner());
        Assert.assertEquals("supergroup", fileStatus.getGroup());
        Assert.assertEquals(new FsPermission((short) 493), fileStatus.getPermission());
        fileSystem.mkdirs(new Path("/user/authz"));
        FileStatus fileStatus2 = fileSystem.getFileStatus(new Path("/user/authz"));
        Assert.assertEquals("foo", fileStatus2.getOwner());
        Assert.assertEquals("bar", fileStatus2.getGroup());
        Assert.assertEquals(new FsPermission((short) 509), fileStatus2.getPermission());
        this.miniDFS.getNameNodeRpc(0).setSafeMode(HdfsConstants.SafeModeAction.SAFEMODE_ENTER, true);
        this.miniDFS.getNameNodeRpc(0).saveNamespace();
        this.miniDFS.getNameNodeRpc(0).setSafeMode(HdfsConstants.SafeModeAction.SAFEMODE_LEAVE, true);
        this.miniDFS.getConfiguration(0).set("dfs.namenode.authorization.provider.class", DefaultAuthorizationProvider.class.getName());
        this.miniDFS.restartNameNodes();
        this.miniDFS.waitClusterUp();
        FileStatus fileStatus3 = FileSystem.get(this.miniDFS.getConfiguration(0)).getFileStatus(new Path("/user/authz"));
        Assert.assertEquals(System.getProperty("user.name"), fileStatus3.getOwner());
        Assert.assertEquals("supergroup", fileStatus3.getGroup());
        this.miniDFS.getConfiguration(0).set("dfs.namenode.authorization.provider.class", MyAuthorizationProvider.class.getName());
        this.miniDFS.restartNameNodes();
        this.miniDFS.waitClusterUp();
        FileStatus fileStatus4 = FileSystem.get(this.miniDFS.getConfiguration(0)).getFileStatus(new Path("/user/authz"));
        Assert.assertEquals("foo", fileStatus4.getOwner());
        Assert.assertEquals("bar", fileStatus4.getGroup());
        Assert.assertEquals(new FsPermission((short) 509), fileStatus4.getPermission());
    }
}
