package io.trino.tests.product.jdbc;

import com.google.common.collect.Iterables;
import com.google.inject.Inject;
import com.google.inject.name.Named;
import io.trino.tempto.BeforeMethodWithContext;
import io.trino.tempto.ProductTest;
import io.trino.tempto.assertions.QueryAssert;
import io.trino.tempto.kerberos.KerberosAuthentication;
import io.trino.tempto.query.QueryResult;
import io.trino.tests.product.TestGroups;
import io.trino.tests.product.TpchTableResults;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Properties;
import javax.security.auth.Subject;
import org.assertj.core.api.Assertions;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/tests/product/jdbc/TestKerberosConstrainedDelegationJdbc.class */
public class TestKerberosConstrainedDelegationJdbc extends ProductTest {
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";

    @Named("databases.presto.jdbc_url")
    @Inject
    String jdbcUrl;

    @Named("databases.presto.kerberos_principal")
    @Inject
    private String kerberosPrincipal;

    @Named("databases.presto.kerberos_keytab")
    @Inject
    private String kerberosKeytab;
    private GSSManager gssManager;
    private KerberosAuthentication kerberosAuthentication;

    @BeforeMethodWithContext
    public void setUp() {
        this.gssManager = GSSManager.getInstance();
        this.kerberosAuthentication = new KerberosAuthentication(this.kerberosPrincipal, this.kerberosKeytab);
    }

    @Test(groups = {TestGroups.JDBC_KERBEROS_CONSTRAINED_DELEGATION})
    public void testSelectConstrainedDelegationKerberos() throws Exception {
        Properties properties = new Properties();
        GSSCredential createGssCredential = createGssCredential();
        properties.put("KerberosConstrainedDelegation", createGssCredential);
        try {
            Connection connection = DriverManager.getConnection(this.jdbcUrl, properties);
            try {
                PreparedStatement prepareStatement = connection.prepareStatement("SELECT * FROM tpch.tiny.nation");
                try {
                    ResultSet executeQuery = prepareStatement.executeQuery();
                    try {
                        QueryAssert.assertThat(QueryResult.forResultSet(executeQuery)).matches(TpchTableResults.PRESTO_NATION_RESULT);
                        if (executeQuery != null) {
                            executeQuery.close();
                        }
                        if (prepareStatement != null) {
                            prepareStatement.close();
                        }
                        if (connection != null) {
                            connection.close();
                        }
                    } catch (Throwable th) {
                        if (executeQuery != null) {
                            try {
                                executeQuery.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (prepareStatement != null) {
                        try {
                            prepareStatement.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } finally {
            }
        } finally {
            createGssCredential.dispose();
        }
    }

    @Test(groups = {TestGroups.JDBC_KERBEROS_CONSTRAINED_DELEGATION})
    public void testCtasConstrainedDelegationKerberos() throws Exception {
        Properties properties = new Properties();
        GSSCredential createGssCredential = createGssCredential();
        properties.put("KerberosConstrainedDelegation", createGssCredential);
        try {
            Connection connection = DriverManager.getConnection(this.jdbcUrl, properties);
            try {
                PreparedStatement prepareStatement = connection.prepareStatement(String.format("CREATE TABLE %s AS SELECT * FROM tpch.tiny.nation", "test_kerberos_ctas"));
                try {
                    Assertions.assertThat(prepareStatement.executeUpdate()).isEqualTo(25);
                    if (prepareStatement != null) {
                        prepareStatement.close();
                    }
                    if (connection != null) {
                        connection.close();
                    }
                } catch (Throwable th) {
                    if (prepareStatement != null) {
                        try {
                            prepareStatement.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } finally {
            createGssCredential.dispose();
        }
    }

    @Test(groups = {TestGroups.JDBC_KERBEROS_CONSTRAINED_DELEGATION})
    public void testQueryOnDisposedCredential() throws Exception {
        Properties properties = new Properties();
        GSSCredential createGssCredential = createGssCredential();
        createGssCredential.dispose();
        properties.put("KerberosConstrainedDelegation", createGssCredential);
        Connection connection = DriverManager.getConnection(this.jdbcUrl, properties);
        try {
            Assertions.assertThatThrownBy(() -> {
                connection.prepareStatement("SELECT * FROM tpch.tiny.nation");
            }).cause().isInstanceOf(IllegalStateException.class).hasMessageContaining("This credential is no longer valid");
            if (connection != null) {
                connection.close();
            }
        } catch (Throwable th) {
            if (connection != null) {
                try {
                    connection.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test(groups = {TestGroups.JDBC_KERBEROS_CONSTRAINED_DELEGATION})
    public void testQueryOnExpiredCredential() throws Exception {
        Properties properties = new Properties();
        GSSCredential createGssCredential = createGssCredential();
        Thread.sleep(30000L);
        Assertions.assertThat(createGssCredential.getRemainingLifetime()).isLessThanOrEqualTo(60);
        properties.put("KerberosConstrainedDelegation", createGssCredential);
        try {
            Connection connection = DriverManager.getConnection(this.jdbcUrl, properties);
            try {
                Assertions.assertThatThrownBy(() -> {
                    connection.prepareStatement("SELECT * FROM tpch.tiny.nation");
                }).isInstanceOf(SQLException.class).hasMessageContaining("Kerberos credential is expired");
                if (connection != null) {
                    connection.close();
                }
            } finally {
            }
        } finally {
            createGssCredential.dispose();
        }
    }

    private GSSCredential createGssCredential() {
        Subject authenticate = this.kerberosAuthentication.authenticate();
        Principal principal = (Principal) Iterables.getOnlyElement(authenticate.getPrincipals());
        try {
            return (GSSCredential) Subject.doAs(authenticate, () -> {
                return this.gssManager.createCredential(this.gssManager.createName(principal.getName(), GSSName.NT_USER_NAME), 0, new Oid(KERBEROS_OID), 1);
            });
        } catch (PrivilegedActionException e) {
            throw new RuntimeException(e.getCause());
        }
    }
}
