package org.apache.storm.security.auth;

import com.google.common.net.InetAddresses;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.Subject;
import org.apache.storm.Testing;
import org.apache.storm.cluster.ClusterStateContext;
import org.apache.storm.cluster.ClusterUtils;
import org.apache.storm.cluster.DaemonType;
import org.apache.storm.generated.Nimbus;
import org.apache.storm.generated.WorkerToken;
import org.apache.storm.generated.WorkerTokenServiceType;
import org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer;
import org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer;
import org.apache.storm.security.auth.authorizer.SimpleWhitelistAuthorizer;
import org.apache.storm.security.auth.digest.DigestSaslTransportPlugin;
import org.apache.storm.security.auth.workertoken.WorkerTokenManager;
import org.apache.storm.testing.InProcessZookeeper;
import org.apache.storm.thrift.transport.TTransportException;
import org.apache.storm.utils.ConfigUtils;
import org.apache.storm.utils.NimbusClient;
import org.apache.storm.utils.Time;
import org.apache.storm.utils.Utils;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/AuthTest.class */
public class AuthTest {
    public static final int NIMBUS_TIMEOUT = 3000;
    private static final Logger LOG;
    private static final File BASE;
    private static final String DIGEST_JAAS_CONF;
    private static final String BAD_PASSWORD_CONF;
    private static final String WRONG_USER_CONF;
    private static final String MISSING_CLIENT;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/apache/storm/security/auth/AuthTest$MyBiConsumer.class */
    public interface MyBiConsumer<T, U> {
        void accept(T t, U u) throws Exception;
    }

    public static Principal mkPrincipal(final String str) {
        return new Principal() { // from class: org.apache.storm.security.auth.AuthTest.1
            @Override // java.security.Principal
            public String getName() {
                return str;
            }

            @Override // java.security.Principal
            public boolean equals(Object obj) {
                return (obj instanceof Principal) && str.equals(((Principal) obj).getName());
            }

            @Override // java.security.Principal
            public String toString() {
                return str;
            }

            @Override // java.security.Principal
            public int hashCode() {
                return str.hashCode();
            }
        };
    }

    public static Subject mkSubject(String str) {
        return new Subject(true, Collections.singleton(mkPrincipal(str)), Collections.emptySet(), Collections.emptySet());
    }

    public static void withServer(Class<? extends ITransportPlugin> cls, Nimbus.Iface iface, MyBiConsumer<ThriftServer, Map<String, Object>> myBiConsumer) throws Exception {
        withServer(null, cls, iface, null, null, myBiConsumer);
    }

    public static void withServer(String str, Class<? extends ITransportPlugin> cls, Nimbus.Iface iface, MyBiConsumer<ThriftServer, Map<String, Object>> myBiConsumer) throws Exception {
        withServer(str, cls, iface, null, null, myBiConsumer);
    }

    public static void withServer(String str, Class<? extends ITransportPlugin> cls, Nimbus.Iface iface, InProcessZookeeper inProcessZookeeper, Map<String, Object> map, MyBiConsumer<ThriftServer, Map<String, Object>> myBiConsumer) throws Exception {
        Map<String, Object> readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("nimbus.thrift.port", 0);
        readStormConfig.put("storm.thrift.transport", cls.getName());
        if (str != null) {
            readStormConfig.put("java.security.auth.login.config", str);
        }
        if (inProcessZookeeper != null) {
            readStormConfig.put("storm.zookeeper.servers", Arrays.asList("localhost"));
            readStormConfig.put("storm.zookeeper.port", Long.valueOf(inProcessZookeeper.getPort()));
        }
        if (map != null) {
            readStormConfig.putAll(map);
        }
        ThriftServer thriftServer = new ThriftServer(readStormConfig, new Nimbus.Processor(iface != null ? iface : (Nimbus.Iface) Mockito.mock(Nimbus.Iface.class)), ThriftConnectionType.NIMBUS);
        LOG.info("Created Server... {}", thriftServer);
        new Thread(() -> {
            LOG.info("Starting Serving...");
            thriftServer.serve();
        }).start();
        Testing.whileTimeout(() -> {
            return !thriftServer.isServing();
        }, () -> {
            try {
                Time.sleep(100L);
            } catch (InterruptedException e) {
            }
        });
        try {
            LOG.info("Starting to run {}", myBiConsumer);
            myBiConsumer.accept(thriftServer, readStormConfig);
            LOG.info("{} finished with no exceptions", myBiConsumer);
            LOG.info("Stopping server {}", thriftServer);
            thriftServer.stop();
        } catch (Throwable th) {
            LOG.info("Stopping server {}", thriftServer);
            thriftServer.stop();
            throw th;
        }
    }

    public static void verifyIncorrectJaasConf(ThriftServer thriftServer, Map<String, Object> map, String str, Class<? extends Exception> cls) {
        HashMap hashMap = new HashMap(map);
        hashMap.put("java.security.auth.login.config", str);
        try {
            NimbusClient nimbusClient = new NimbusClient(hashMap, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
            Throwable th = null;
            try {
                try {
                    nimbusClient.getClient().activate("bad_auth_test_topology");
                    Assert.fail("An exception should have been thrown trying to connect.");
                    if (nimbusClient != null) {
                        if (0 != 0) {
                            try {
                                nimbusClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            nimbusClient.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Exception e) {
            LOG.info("Got Exception...", e);
            if (!$assertionsDisabled && !Utils.exceptionCauseIsInstanceOf(cls, e)) {
                throw new AssertionError();
            }
        }
    }

    public static Subject createSubjectWith(WorkerToken workerToken) {
        HashMap hashMap = new HashMap();
        ClientAuthUtils.setWorkerToken(hashMap, workerToken);
        Subject subject = new Subject();
        ClientAuthUtils.updateSubject(subject, Collections.emptyList(), hashMap);
        return subject;
    }

    public static void tryConnectAs(Map<String, Object> map, ThriftServer thriftServer, Subject subject, String str) throws PrivilegedActionException {
        Subject.doAs(subject, () -> {
            NimbusClient nimbusClient = new NimbusClient(map, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
            Throwable th = null;
            try {
                try {
                    nimbusClient.getClient().activate(str);
                    if (nimbusClient == null) {
                        return null;
                    }
                    if (0 == 0) {
                        nimbusClient.close();
                        return null;
                    }
                    try {
                        nimbusClient.close();
                        return null;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return null;
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (nimbusClient != null) {
                    if (th != null) {
                        try {
                            nimbusClient.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        nimbusClient.close();
                    }
                }
                throw th4;
            }
        });
    }

    public static Subject testConnectWithTokenFor(WorkerTokenManager workerTokenManager, Map<String, Object> map, ThriftServer thriftServer, String str, String str2) throws PrivilegedActionException {
        Subject createSubjectWith = createSubjectWith(workerTokenManager.createOrUpdateTokenFor(WorkerTokenServiceType.NIMBUS, str, str2));
        tryConnectAs(map, thriftServer, createSubjectWith, str2);
        return createSubjectWith;
    }

    public static void verifyUserIs(AtomicReference<ReqContext> atomicReference, String str) {
        ReqContext reqContext = atomicReference.get();
        Assert.assertNotNull(reqContext);
        Assert.assertEquals(str, reqContext.principal().getName());
        Assert.assertFalse(reqContext.isImpersonating());
        atomicReference.set(null);
    }

    public static ReqContext mkImpersonatingReqContext(String str, String str2, InetAddress inetAddress) {
        ReqContext reqContext = new ReqContext(mkSubject(str2));
        reqContext.setRemoteAddress(inetAddress);
        reqContext.setRealPrincipal(mkPrincipal(str));
        return reqContext;
    }

    @Test
    public void kerbToLocalTest() {
        KerberosPrincipalToLocal kerberosPrincipalToLocal = new KerberosPrincipalToLocal();
        kerberosPrincipalToLocal.prepare(Collections.emptyMap());
        Assert.assertEquals("me", kerberosPrincipalToLocal.toLocal(mkPrincipal("me@realm")));
        Assert.assertEquals("simple", kerberosPrincipalToLocal.toLocal(mkPrincipal("simple")));
        Assert.assertEquals("someone", kerberosPrincipalToLocal.toLocal(mkPrincipal("someone/host@realm")));
    }

    @Test
    public void simpleAuthTest() throws Exception {
        Nimbus.Iface iface = (Nimbus.Iface) Mockito.mock(Nimbus.Iface.class);
        withServer(SimpleTransportPlugin.class, iface, (thriftServer, map) -> {
            NimbusClient nimbusClient = new NimbusClient(map, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
            Throwable th = null;
            try {
                try {
                    nimbusClient.getClient().activate("security_auth_test_topology");
                    if (nimbusClient != null) {
                        if (0 != 0) {
                            try {
                                nimbusClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            nimbusClient.close();
                        }
                    }
                    HashMap hashMap = new HashMap(map);
                    hashMap.put("storm.thrift.transport", DigestSaslTransportPlugin.class.getName());
                    hashMap.put("java.security.auth.login.config", DIGEST_JAAS_CONF);
                    hashMap.put("storm.nimbus.retry.times", 0);
                    try {
                        NimbusClient nimbusClient2 = new NimbusClient(hashMap, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
                        Throwable th3 = null;
                        try {
                            nimbusClient2.getClient().activate("bad_security_auth_test_topology");
                            Assert.fail("An exception should have been thrown trying to connect.");
                            if (nimbusClient2 != null) {
                                if (0 != 0) {
                                    try {
                                        nimbusClient2.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    nimbusClient2.close();
                                }
                            }
                        } finally {
                        }
                    } catch (Exception e) {
                        LOG.info("Got Exception...", e);
                        if (!$assertionsDisabled && !Utils.exceptionCauseIsInstanceOf(TTransportException.class, e)) {
                            throw new AssertionError();
                        }
                    }
                } catch (Throwable th5) {
                    th = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (nimbusClient != null) {
                    if (th != null) {
                        try {
                            nimbusClient.close();
                        } catch (Throwable th7) {
                            th.addSuppressed(th7);
                        }
                    } else {
                        nimbusClient.close();
                    }
                }
                throw th6;
            }
        });
        ((Nimbus.Iface) Mockito.verify(iface)).activate("security_auth_test_topology");
        ((Nimbus.Iface) Mockito.verify(iface, Mockito.never())).activate("bad_security_auth_test_topology");
    }

    @Test
    public void digestAuthTest() throws Exception {
        Nimbus.Iface iface = (Nimbus.Iface) Mockito.mock(Nimbus.Iface.class);
        AtomicReference atomicReference = new AtomicReference();
        ((Nimbus.Iface) Mockito.doAnswer(invocationOnMock -> {
            atomicReference.set(new ReqContext(ReqContext.context()));
            return null;
        }).when(iface)).activate(Mockito.anyString());
        withServer(DIGEST_JAAS_CONF, DigestSaslTransportPlugin.class, iface, (thriftServer, map) -> {
            NimbusClient nimbusClient = new NimbusClient(map, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
            Throwable th = null;
            try {
                try {
                    nimbusClient.getClient().activate("security_auth_test_topology");
                    if (nimbusClient != null) {
                        if (0 != 0) {
                            try {
                                nimbusClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            nimbusClient.close();
                        }
                    }
                    map.put("storm.nimbus.retry.times", 0);
                    HashMap hashMap = new HashMap(map);
                    hashMap.put("storm.thrift.transport", SimpleTransportPlugin.class.getName());
                    try {
                        NimbusClient nimbusClient2 = new NimbusClient(hashMap, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
                        Throwable th3 = null;
                        try {
                            nimbusClient2.getClient().activate("bad_security_auth_test_topology");
                            Assert.fail("An exception should have been thrown trying to connect.");
                            if (nimbusClient2 != null) {
                                if (0 != 0) {
                                    try {
                                        nimbusClient2.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    nimbusClient2.close();
                                }
                            }
                        } finally {
                        }
                    } catch (Exception e) {
                        LOG.info("Got Exception...", e);
                        if (!$assertionsDisabled && !Utils.exceptionCauseIsInstanceOf(TTransportException.class, e)) {
                            throw new AssertionError();
                        }
                    }
                    ReqContext reqContext = (ReqContext) atomicReference.get();
                    Assert.assertNotNull(reqContext);
                    Assert.assertEquals("bob", reqContext.principal().getName());
                    Assert.assertFalse(reqContext.isImpersonating());
                    atomicReference.set(null);
                    verifyIncorrectJaasConf(thriftServer, map, BAD_PASSWORD_CONF, TTransportException.class);
                    verifyIncorrectJaasConf(thriftServer, map, WRONG_USER_CONF, TTransportException.class);
                    verifyIncorrectJaasConf(thriftServer, map, "./nonexistent.conf", RuntimeException.class);
                    verifyIncorrectJaasConf(thriftServer, map, MISSING_CLIENT, IOException.class);
                } finally {
                }
            } catch (Throwable th5) {
                if (nimbusClient != null) {
                    if (th != null) {
                        try {
                            nimbusClient.close();
                        } catch (Throwable th6) {
                            th.addSuppressed(th6);
                        }
                    } else {
                        nimbusClient.close();
                    }
                }
                throw th5;
            }
        });
        ((Nimbus.Iface) Mockito.verify(iface)).activate("security_auth_test_topology");
        ((Nimbus.Iface) Mockito.verify(iface, Mockito.never())).activate("bad_auth_test_topology");
    }

    @Test
    public void workerTokenDigestAuthTest() throws Exception {
        LOG.info("\n\n\t\tworkerTokenDigestAuthTest - START\n\n");
        Nimbus.Iface iface = (Nimbus.Iface) Mockito.mock(Nimbus.Iface.class);
        AtomicReference atomicReference = new AtomicReference();
        ((Nimbus.Iface) Mockito.doAnswer(invocationOnMock -> {
            atomicReference.set(new ReqContext(ReqContext.context()));
            return null;
        }).when(iface)).activate(Mockito.anyString());
        HashMap hashMap = new HashMap();
        hashMap.put("TESTING.ONLY.ENABLE.INSECURE.WORKER.TOKENS", true);
        InProcessZookeeper inProcessZookeeper = new InProcessZookeeper();
        Throwable th = null;
        try {
            try {
                withServer(MISSING_CLIENT, DigestSaslTransportPlugin.class, iface, inProcessZookeeper, hashMap, (thriftServer, map) -> {
                    Time.SimulatedTime simulatedTime = new Time.SimulatedTime();
                    Throwable th2 = null;
                    try {
                        map.put("storm.nimbus.retry.times", 0);
                        try {
                            NimbusClient nimbusClient = new NimbusClient(map, "localhost", thriftServer.getPort(), Integer.valueOf(NIMBUS_TIMEOUT));
                            Throwable th3 = null;
                            try {
                                nimbusClient.getClient().activate("bad_auth_test_topology");
                                Assert.fail("We should not be able to connect without a token...");
                                if (nimbusClient != null) {
                                    if (0 != 0) {
                                        try {
                                            nimbusClient.close();
                                        } catch (Throwable th4) {
                                            th3.addSuppressed(th4);
                                        }
                                    } else {
                                        nimbusClient.close();
                                    }
                                }
                            } catch (Throwable th5) {
                                if (nimbusClient != null) {
                                    if (0 != 0) {
                                        try {
                                            nimbusClient.close();
                                        } catch (Throwable th6) {
                                            th3.addSuppressed(th6);
                                        }
                                    } else {
                                        nimbusClient.close();
                                    }
                                }
                                throw th5;
                            }
                        } catch (Exception e) {
                            if (!$assertionsDisabled && !Utils.exceptionCauseIsInstanceOf(IOException.class, e)) {
                                throw new AssertionError();
                            }
                        }
                        WorkerTokenManager workerTokenManager = new WorkerTokenManager(map, ClusterUtils.mkStormClusterState(map, new ClusterStateContext(DaemonType.NIMBUS, map)));
                        Subject testConnectWithTokenFor = testConnectWithTokenFor(workerTokenManager, map, thriftServer, "bob", "topo-bob");
                        verifyUserIs(atomicReference, "bob");
                        Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(12L));
                        Subject testConnectWithTokenFor2 = testConnectWithTokenFor(workerTokenManager, map, thriftServer, "alice", "topo-alice");
                        verifyUserIs(atomicReference, "alice");
                        Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(13L));
                        try {
                            tryConnectAs(map, thriftServer, testConnectWithTokenFor, "bad_auth_test_topology");
                            Assert.fail("We should not be able to connect with bad auth");
                        } catch (Exception e2) {
                            if (!$assertionsDisabled && !Utils.exceptionCauseIsInstanceOf(TTransportException.class, e2)) {
                                throw new AssertionError();
                            }
                        }
                        tryConnectAs(map, thriftServer, testConnectWithTokenFor2, "topo-alice");
                        verifyUserIs(atomicReference, "alice");
                        testConnectWithTokenFor(workerTokenManager, map, thriftServer, "bob", "topo-bob");
                        verifyUserIs(atomicReference, "bob");
                        tryConnectAs(map, thriftServer, testConnectWithTokenFor2, "topo-alice");
                        verifyUserIs(atomicReference, "alice");
                        if (simulatedTime != null) {
                            if (0 == 0) {
                                simulatedTime.close();
                                return;
                            }
                            try {
                                simulatedTime.close();
                            } catch (Throwable th7) {
                                th2.addSuppressed(th7);
                            }
                        }
                    } catch (Throwable th8) {
                        if (simulatedTime != null) {
                            if (0 != 0) {
                                try {
                                    simulatedTime.close();
                                } catch (Throwable th9) {
                                    th2.addSuppressed(th9);
                                }
                            } else {
                                simulatedTime.close();
                            }
                        }
                        throw th8;
                    }
                });
                if (inProcessZookeeper != null) {
                    if (0 != 0) {
                        try {
                            inProcessZookeeper.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        inProcessZookeeper.close();
                    }
                }
                ((Nimbus.Iface) Mockito.verify(iface, Mockito.times(2))).activate("topo-bob");
                ((Nimbus.Iface) Mockito.verify(iface, Mockito.times(3))).activate("topo-alice");
                ((Nimbus.Iface) Mockito.verify(iface, Mockito.never())).activate("bad_auth_test_topology");
                LOG.info("\n\n\t\tworkerTokenDigestAuthTest - END\n\n");
            } finally {
            }
        } catch (Throwable th3) {
            if (inProcessZookeeper != null) {
                if (th != null) {
                    try {
                        inProcessZookeeper.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    inProcessZookeeper.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void negativeWhitelistAuthroizationTest() {
        SimpleWhitelistAuthorizer simpleWhitelistAuthorizer = new SimpleWhitelistAuthorizer();
        Map readStormConfig = ConfigUtils.readStormConfig();
        simpleWhitelistAuthorizer.prepare(readStormConfig);
        Assert.assertFalse(simpleWhitelistAuthorizer.permit(new ReqContext(mkSubject("user")), "activate", readStormConfig));
    }

    @Test
    public void positiveWhitelistAuthroizationTest() {
        SimpleWhitelistAuthorizer simpleWhitelistAuthorizer = new SimpleWhitelistAuthorizer();
        Map readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("storm.auth.simple-white-list.users", Arrays.asList("user"));
        simpleWhitelistAuthorizer.prepare(readStormConfig);
        Assert.assertTrue(simpleWhitelistAuthorizer.permit(new ReqContext(mkSubject("user")), "activate", readStormConfig));
    }

    @Test
    public void simpleAclUserAuthTest() {
        Map readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("nimbus.admins", Arrays.asList("admin"));
        readStormConfig.put("nimbus.supervisor.users", Arrays.asList("supervisor"));
        ReqContext reqContext = new ReqContext(mkSubject("admin"));
        ReqContext reqContext2 = new ReqContext(mkSubject("supervisor"));
        ReqContext reqContext3 = new ReqContext(mkSubject("user-a"));
        ReqContext reqContext4 = new ReqContext(mkSubject("user-b"));
        Map emptyMap = Collections.emptyMap();
        HashMap hashMap = new HashMap();
        hashMap.put("topology.users", Arrays.asList("user-a"));
        SimpleACLAuthorizer simpleACLAuthorizer = new SimpleACLAuthorizer();
        simpleACLAuthorizer.prepare(readStormConfig);
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "submitTopology", emptyMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext4, "submitTopology", emptyMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "submitTopology", emptyMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "submitTopology", emptyMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "fileUpload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext4, "fileUpload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "fileUpload", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "fileUpload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "getNimbusConf", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext4, "getNimbusConf", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getNimbusConf", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "getNimbusConf", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "getClusterInfo", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext4, "getClusterInfo", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getClusterInfo", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "getClusterInfo", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext3, "fileDownload", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "fileDownload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "fileDownload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext2, "fileDownload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "killTopology", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "killTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "killTopology", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "killTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "uploadNewCredentials", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "uploadNewCredentials", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "uploadNewCredentials", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "uploadNewCredentials", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "rebalance", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "rebalance", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "rebalance", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "rebalance", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "activate", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "activate", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "activate", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "activate", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "deactivate", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "deactivate", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "deactivate", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "deactivate", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "getTopologyConf", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "getTopologyConf", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getTopologyConf", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "getTopologyConf", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "getTopology", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "getTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getTopology", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "getTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "getUserTopology", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "getUserTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getUserTopology", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "getUserTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "getTopologyInfo", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "getTopologyInfo", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getTopologyInfo", hashMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "getTopologyInfo", hashMap));
    }

    @Test
    public void simpleAclNimbusUsersAuthTest() {
        Map readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("nimbus.admins", Arrays.asList("admin"));
        readStormConfig.put("nimbus.supervisor.users", Arrays.asList("supervisor"));
        readStormConfig.put("nimbus.users", Arrays.asList("user-a"));
        ReqContext reqContext = new ReqContext(mkSubject("admin"));
        ReqContext reqContext2 = new ReqContext(mkSubject("supervisor"));
        ReqContext reqContext3 = new ReqContext(mkSubject("user-a"));
        ReqContext reqContext4 = new ReqContext(mkSubject("user-b"));
        Map emptyMap = Collections.emptyMap();
        SimpleACLAuthorizer simpleACLAuthorizer = new SimpleACLAuthorizer();
        simpleACLAuthorizer.prepare(readStormConfig);
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "submitTopology", emptyMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext4, "submitTopology", emptyMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "fileUpload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext2, "fileDownload", (Map) null));
    }

    @Test
    public void simpleAclNimbusGroupsAuthTest() {
        Map readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("nimbus.admins.groups", Arrays.asList("admin-group"));
        readStormConfig.put("nimbus.supervisor.users", Arrays.asList("supervisor"));
        readStormConfig.put("nimbus.users", Arrays.asList("user-a"));
        readStormConfig.put("storm.group.mapping.service", FixedGroupsMapping.class.getName());
        HashMap hashMap = new HashMap();
        hashMap.put("admin", Collections.singleton("admin-group"));
        hashMap.put("not-admin", Collections.singleton("not-admin-group"));
        HashMap hashMap2 = new HashMap();
        hashMap2.put("storm.fixed.group.mapping", hashMap);
        readStormConfig.put("storm.group.mapping.service.params", hashMap2);
        ReqContext reqContext = new ReqContext(mkSubject("admin"));
        ReqContext reqContext2 = new ReqContext(mkSubject("not-admin"));
        ReqContext reqContext3 = new ReqContext(mkSubject("supervisor"));
        ReqContext reqContext4 = new ReqContext(mkSubject("user-a"));
        ReqContext reqContext5 = new ReqContext(mkSubject("user-b"));
        Map emptyMap = Collections.emptyMap();
        SimpleACLAuthorizer simpleACLAuthorizer = new SimpleACLAuthorizer();
        simpleACLAuthorizer.prepare(readStormConfig);
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext4, "submitTopology", emptyMap));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext5, "submitTopology", emptyMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "fileUpload", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext2, "fileUpload", (Map) null));
        Assert.assertFalse(simpleACLAuthorizer.permit(reqContext5, "fileUpload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext3, "fileDownload", (Map) null));
    }

    @Test
    public void simpleAclSameUserAuthTest() {
        Map readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("nimbus.admins", Arrays.asList("admin"));
        readStormConfig.put("nimbus.supervisor.users", Arrays.asList("admin"));
        ReqContext reqContext = new ReqContext(mkSubject("admin"));
        Map emptyMap = Collections.emptyMap();
        HashMap hashMap = new HashMap();
        hashMap.put("topology.users", Arrays.asList("user-a"));
        SimpleACLAuthorizer simpleACLAuthorizer = new SimpleACLAuthorizer();
        simpleACLAuthorizer.prepare(readStormConfig);
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "submitTopology", emptyMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "fileUpload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getNimbusConf", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getClusterInfo", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "fileDownload", (Map) null));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "killTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "uploadNewCredentials", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "rebalance", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "activate", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getTopologyConf", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getUserTopology", hashMap));
        Assert.assertTrue(simpleACLAuthorizer.permit(reqContext, "getTopologyInfo", hashMap));
    }

    @Test
    public void shellBaseGroupsMappingTest() throws Exception {
        Map readStormConfig = ConfigUtils.readStormConfig();
        ShellBasedGroupsMapping shellBasedGroupsMapping = new ShellBasedGroupsMapping();
        shellBasedGroupsMapping.prepare(readStormConfig);
        Assert.assertTrue(shellBasedGroupsMapping.getGroups(System.getProperty("user.name")).size() >= 0);
        Assert.assertEquals(0L, shellBasedGroupsMapping.getGroups("userDoesNotExist").size());
        Assert.assertEquals(0L, shellBasedGroupsMapping.getGroups((String) null).size());
    }

    @Test(expected = RuntimeException.class)
    public void getTransportPluginThrowsRunimeTest() {
        Map readStormConfig = ConfigUtils.readStormConfig();
        readStormConfig.put("storm.thrift.transport", "null.invalid");
        ClientAuthUtils.getTransportPlugin(ThriftConnectionType.NIMBUS, readStormConfig);
    }

    @Test
    public void impersonationAuthorizerTest() throws Exception {
        String property = System.getProperty("user.name");
        Map readStormConfig = ConfigUtils.readStormConfig();
        ShellBasedGroupsMapping shellBasedGroupsMapping = new ShellBasedGroupsMapping();
        shellBasedGroupsMapping.prepare(readStormConfig);
        Set groups = shellBasedGroupsMapping.getGroups(property);
        InetAddress localHost = InetAddress.getLocalHost();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("hosts", Arrays.asList(localHost.getHostName()));
        hashMap2.put("groups", groups);
        hashMap.put("admin", hashMap2);
        readStormConfig.put("nimbus.impersonation.acl", hashMap);
        InetAddress forString = InetAddresses.forString("10.10.10.10");
        ImpersonationAuthorizer impersonationAuthorizer = new ImpersonationAuthorizer();
        impersonationAuthorizer.prepare(readStormConfig);
        Assert.assertTrue(impersonationAuthorizer.permit(new ReqContext(mkSubject("anyuser")), "fileUplaod", (Map) null));
        Assert.assertFalse(impersonationAuthorizer.permit(mkImpersonatingReqContext("user-with-no-acl", property, localHost), "someOperation", (Map) null));
        Assert.assertFalse(impersonationAuthorizer.permit(mkImpersonatingReqContext("admin", property, forString), "someOperation", (Map) null));
        Assert.assertFalse(impersonationAuthorizer.permit(mkImpersonatingReqContext("admin", "unauthorized-user", localHost), "someOperation", (Map) null));
        Assert.assertTrue(impersonationAuthorizer.permit(mkImpersonatingReqContext("admin", property, localHost), "someOperation", (Map) null));
    }

    static {
        $assertionsDisabled = !AuthTest.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(AuthTest.class);
        BASE = new File("./src/test/resources/");
        DIGEST_JAAS_CONF = new File(BASE, "jaas_digest.conf").getAbsolutePath();
        BAD_PASSWORD_CONF = new File(BASE, "jaas_digest_bad_password.conf").getAbsolutePath();
        WRONG_USER_CONF = new File(BASE, "jaas_digest_unknown_user.conf").getAbsolutePath();
        MISSING_CLIENT = new File(BASE, "jaas_digest_missing_client.conf").getAbsolutePath();
    }
}
