package org.apache.drill.exec.server.rest.spnego;

import com.typesafe.config.ConfigValueFactory;
import java.lang.reflect.Field;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.apache.drill.categories.SecurityTest;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.rpc.security.KerberosHelper;
import org.apache.drill.exec.server.DrillbitContext;
import org.apache.drill.exec.server.options.SystemOptionManager;
import org.apache.drill.exec.server.rest.auth.DrillSpnegoAuthenticator;
import org.apache.drill.exec.server.rest.auth.DrillSpnegoLoginService;
import org.apache.drill.shaded.guava.com.google.common.collect.Lists;
import org.apache.drill.test.BaseDirTestWatcher;
import org.apache.drill.test.BaseTest;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.mockito.Mockito;
import org.mockito.stubbing.OngoingStubbing;
import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config;

@Ignore("See DRILL-5387")
@Category({SecurityTest.class})
/* loaded from: input_file:org/apache/drill/exec/server/rest/spnego/TestDrillSpnegoAuthenticator.class */
public class TestDrillSpnegoAuthenticator extends BaseTest {
    private static KerberosHelper spnegoHelper;
    private static final String primaryName = "HTTP";
    private static DrillSpnegoAuthenticator spnegoAuthenticator;
    private static final BaseDirTestWatcher dirTestWatcher = new BaseDirTestWatcher();

    @BeforeClass
    public static void setupTest() throws Exception {
        spnegoHelper = new KerberosHelper(TestSpnegoAuthentication.class.getSimpleName(), primaryName);
        spnegoHelper.setupKdc(dirTestWatcher.getTmpDir());
        Config.refresh();
        Field declaredField = KerberosName.class.getDeclaredField("defaultRealm");
        declaredField.setAccessible(true);
        declaredField.set(null, KerberosUtil.getDefaultRealm());
        DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.http.auth.mechanisms", ConfigValueFactory.fromIterable(Lists.newArrayList(new String[]{"spnego"}))).withValue("drill.exec.http.auth.spnego.principal", ConfigValueFactory.fromAnyRef(spnegoHelper.SERVER_PRINCIPAL)).withValue("drill.exec.http.auth.spnego.keytab", ConfigValueFactory.fromAnyRef(spnegoHelper.serverKeytab.toString())));
        SystemOptionManager systemOptionManager = (SystemOptionManager) Mockito.mock(SystemOptionManager.class);
        OngoingStubbing when = Mockito.when(systemOptionManager.getOption(ExecConstants.ADMIN_USERS_VALIDATOR));
        ExecConstants.ADMIN_USERS_VALIDATOR.getClass();
        when.thenReturn("%drill_process_user%");
        OngoingStubbing when2 = Mockito.when(systemOptionManager.getOption(ExecConstants.ADMIN_USER_GROUPS_VALIDATOR));
        ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getClass();
        when2.thenReturn("%drill_process_user_groups%");
        DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
        Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
        Mockito.when(drillbitContext.getOptionManager()).thenReturn(systemOptionManager);
        Authenticator.AuthConfiguration authConfiguration = (Authenticator.AuthConfiguration) Mockito.mock(Authenticator.AuthConfiguration.class);
        spnegoAuthenticator = new DrillSpnegoAuthenticator("SPNEGO");
        Mockito.when(authConfiguration.getLoginService()).thenReturn(new DrillSpnegoLoginService(drillbitContext));
        Mockito.when(authConfiguration.getIdentityService()).thenReturn(new DefaultIdentityService());
        Mockito.when(Boolean.valueOf(authConfiguration.isSessionRenewedOnAuthentication())).thenReturn(true);
        spnegoAuthenticator.setConfiguration(authConfiguration);
    }

    @AfterClass
    public static void cleanTest() throws Exception {
        spnegoHelper.stopKdc();
    }

    @Test
    public void testNewSessionReqForSpnegoLogin() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletRequest.getSession(true)).thenReturn((HttpSession) Mockito.mock(HttpSession.class));
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn("/spnegoLogin");
        Assert.assertEquals(spnegoAuthenticator.validateRequest(httpServletRequest, httpServletResponse, false), Authentication.SEND_CONTINUE);
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).sendError(401);
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
    }

    @Test
    public void testAuthClientRequestForSpnegoLoginResource() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        HttpSession httpSession = (HttpSession) Mockito.mock(HttpSession.class);
        Authentication authentication = (Authentication) Mockito.mock(UserAuthentication.class);
        Mockito.when(httpServletRequest.getSession(true)).thenReturn(httpSession);
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn("/spnegoLogin");
        Mockito.when(httpSession.getAttribute("org.eclipse.jetty.security.UserIdentity")).thenReturn(authentication);
        Assert.assertEquals(authentication, spnegoAuthenticator.validateRequest(httpServletRequest, httpServletResponse, false));
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).sendError(401);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
    }

    @Test
    public void testAuthClientRequestForOtherPage() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        HttpSession httpSession = (HttpSession) Mockito.mock(HttpSession.class);
        Authentication authentication = (Authentication) Mockito.mock(UserAuthentication.class);
        Mockito.when(httpServletRequest.getSession(true)).thenReturn(httpSession);
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn("/");
        Mockito.when(httpSession.getAttribute("org.eclipse.jetty.security.UserIdentity")).thenReturn(authentication);
        Assert.assertEquals(authentication, spnegoAuthenticator.validateRequest(httpServletRequest, httpServletResponse, false));
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).sendError(401);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
    }

    @Test
    public void testAuthClientRequestForLogOut() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        HttpSession httpSession = (HttpSession) Mockito.mock(HttpSession.class);
        Authentication authentication = (Authentication) Mockito.mock(UserAuthentication.class);
        Mockito.when(httpServletRequest.getSession(true)).thenReturn(httpSession);
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn("/logout");
        Mockito.when(httpSession.getAttribute("org.eclipse.jetty.security.UserIdentity")).thenReturn(authentication);
        Assert.assertNull(spnegoAuthenticator.validateRequest(httpServletRequest, httpServletResponse, false));
        ((HttpSession) Mockito.verify(httpSession)).removeAttribute("org.eclipse.jetty.security.UserIdentity");
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).sendError(401);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
    }

    @Test
    public void testSpnegoLoginInvalidToken() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        HttpSession httpSession = (HttpSession) Mockito.mock(HttpSession.class);
        String str = (String) Subject.doAs(JaasKrbUtil.loginUsingKeytab(spnegoHelper.CLIENT_PRINCIPAL, spnegoHelper.clientKeytab.getAbsoluteFile()), () -> {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSContext gSSContext = null;
            try {
                Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
                gSSContext = gSSManager.createContext(gSSManager.createName(spnegoHelper.SERVER_PRINCIPAL, GSSName.NT_USER_NAME, oid), oid, (GSSCredential) null, 0);
                gSSContext.requestCredDeleg(true);
                gSSContext.requestMutualAuth(true);
                byte[] bArr = new byte[0];
                String encodeBase64String = Base64.encodeBase64String(gSSContext.initSecContext(bArr, 0, bArr.length));
                if (gSSContext != null) {
                    gSSContext.dispose();
                }
                return encodeBase64String;
            } catch (Throwable th) {
                if (gSSContext != null) {
                    gSSContext.dispose();
                }
                throw th;
            }
        });
        Mockito.when(httpServletRequest.getSession(true)).thenReturn(httpSession);
        Mockito.when(httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).thenReturn(String.format("%s:%s", HttpHeader.NEGOTIATE.asString(), String.format("%s%s", "1234", str)));
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn("/spnegoLogin");
        Assert.assertEquals(spnegoAuthenticator.validateRequest(httpServletRequest, httpServletResponse, false), Authentication.UNAUTHENTICATED);
        ((HttpSession) Mockito.verify(httpSession, Mockito.never())).setAttribute("org.eclipse.jetty.security.UserIdentity", (Object) null);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).sendError(401);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
    }
}
