package org.apache.hadoop.crypto.key.kms.server;

import java.io.IOException;
import java.net.URI;
import java.security.PrivilegedExceptionAction;
import java.security.SecureRandom;
import java.util.HashMap;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.UserProvider;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;

/* JADX WARN: Classes with same name are omitted:
  input_file:hadoop-kms-2.6.4-tests.jar:org/apache/hadoop/crypto/key/kms/server/TestKeyAuthorizationKeyProvider.class
 */
/* loaded from: input_file:test-classes/org/apache/hadoop/crypto/key/kms/server/TestKeyAuthorizationKeyProvider.class */
public class TestKeyAuthorizationKeyProvider {
    private static final String CIPHER = "AES";

    @Test
    public void testCreateKey() throws Exception {
        final Configuration configuration = new Configuration();
        KeyProvider createProvider = new UserProvider.Factory().createProvider(new URI("user:///"), configuration);
        KeyAuthorizationKeyProvider.KeyACLs keyACLs = (KeyAuthorizationKeyProvider.KeyACLs) Mockito.mock(KeyAuthorizationKeyProvider.KeyACLs.class);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("foo", KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT))).thenReturn(true);
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("u1");
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("foo", createRemoteUser, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT))).thenReturn(true);
        final KeyAuthorizationKeyProvider keyAuthorizationKeyProvider = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider), keyACLs);
        createRemoteUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    keyAuthorizationKeyProvider.createKey("foo", SecureRandom.getSeed(16), TestKeyAuthorizationKeyProvider.newOptions(configuration));
                } catch (IOException e) {
                    Assert.fail("User should be Authorized !!");
                }
                try {
                    keyAuthorizationKeyProvider.createKey("bar", SecureRandom.getSeed(16), TestKeyAuthorizationKeyProvider.newOptions(configuration));
                    Assert.fail("User should NOT be Authorized !!");
                    return null;
                } catch (IOException e2) {
                    return null;
                }
            }
        });
        UserGroupInformation.createRemoteUser("badGuy").doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    keyAuthorizationKeyProvider.createKey("foo", SecureRandom.getSeed(16), TestKeyAuthorizationKeyProvider.newOptions(configuration));
                    Assert.fail("User should NOT be Authorized !!");
                    return null;
                } catch (IOException e) {
                    return null;
                }
            }
        });
    }

    @Test
    public void testOpsWhenACLAttributeExists() throws Exception {
        final Configuration configuration = new Configuration();
        KeyProvider createProvider = new UserProvider.Factory().createProvider(new URI("user:///"), configuration);
        KeyAuthorizationKeyProvider.KeyACLs keyACLs = (KeyAuthorizationKeyProvider.KeyACLs) Mockito.mock(KeyAuthorizationKeyProvider.KeyACLs.class);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.ALL))).thenReturn(true);
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("u1");
        UserGroupInformation createRemoteUser2 = UserGroupInformation.createRemoteUser("u2");
        UserGroupInformation createRemoteUser3 = UserGroupInformation.createRemoteUser("u3");
        UserGroupInformation createRemoteUser4 = UserGroupInformation.createRemoteUser("sudo");
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser2, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser3, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser4, KeyAuthorizationKeyProvider.KeyOpType.ALL))).thenReturn(true);
        final KeyAuthorizationKeyProvider keyAuthorizationKeyProvider = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider), keyACLs);
        final KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) createRemoteUser.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                KeyProvider.Options newOptions = TestKeyAuthorizationKeyProvider.newOptions(configuration);
                HashMap hashMap = new HashMap();
                hashMap.put("key.acl.name", "testKey");
                newOptions.setAttributes(hashMap);
                try {
                    KeyProvider.KeyVersion createKey = keyAuthorizationKeyProvider.createKey("foo", SecureRandom.getSeed(16), newOptions);
                    keyAuthorizationKeyProvider.rollNewVersion(createKey.getName());
                    keyAuthorizationKeyProvider.rollNewVersion(createKey.getName(), SecureRandom.getSeed(16));
                    keyAuthorizationKeyProvider.deleteKey(createKey.getName());
                } catch (IOException e) {
                    Assert.fail("User should be Authorized !!");
                }
                KeyProvider.KeyVersion keyVersion2 = null;
                try {
                    keyVersion2 = keyAuthorizationKeyProvider.createKey("bar", SecureRandom.getSeed(16), newOptions);
                    keyAuthorizationKeyProvider.generateEncryptedKey(keyVersion2.getName());
                    Assert.fail("User should NOT be Authorized to generate EEK !!");
                } catch (IOException e2) {
                }
                Assert.assertNotNull(keyVersion2);
                return keyVersion2;
            }
        });
        final KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion = (KeyProviderCryptoExtension.EncryptedKeyVersion) createRemoteUser2.doAs(new PrivilegedExceptionAction<KeyProviderCryptoExtension.EncryptedKeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProviderCryptoExtension.EncryptedKeyVersion run() throws Exception {
                try {
                    keyAuthorizationKeyProvider.deleteKey(keyVersion.getName());
                    Assert.fail("User should NOT be Authorized to perform any other operation !!");
                } catch (IOException e) {
                }
                return keyAuthorizationKeyProvider.generateEncryptedKey(keyVersion.getName());
            }
        });
        createRemoteUser3.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                try {
                    keyAuthorizationKeyProvider.deleteKey(keyVersion.getName());
                    Assert.fail("User should NOT be Authorized to perform any other operation !!");
                } catch (IOException e) {
                }
                return keyAuthorizationKeyProvider.decryptEncryptedKey(encryptedKeyVersion);
            }
        });
        createRemoteUser4.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                KeyProvider.Options newOptions = TestKeyAuthorizationKeyProvider.newOptions(configuration);
                HashMap hashMap = new HashMap();
                hashMap.put("key.acl.name", "testKey");
                newOptions.setAttributes(hashMap);
                try {
                    KeyProvider.KeyVersion createKey = keyAuthorizationKeyProvider.createKey("foo", SecureRandom.getSeed(16), newOptions);
                    keyAuthorizationKeyProvider.rollNewVersion(createKey.getName());
                    keyAuthorizationKeyProvider.rollNewVersion(createKey.getName(), SecureRandom.getSeed(16));
                    keyAuthorizationKeyProvider.decryptEncryptedKey(keyAuthorizationKeyProvider.generateEncryptedKey(createKey.getName()));
                    keyAuthorizationKeyProvider.deleteKey(createKey.getName());
                    return null;
                } catch (IOException e) {
                    Assert.fail("User should be Allowed to do everything !!");
                    return null;
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KeyProvider.Options newOptions(Configuration configuration) {
        KeyProvider.Options options = new KeyProvider.Options(configuration);
        options.setCipher(CIPHER);
        options.setBitLength(128);
        return options;
    }

    @Test(expected = IllegalArgumentException.class)
    public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
        final Configuration configuration = new Configuration();
        KeyProvider createProvider = new UserProvider.Factory().createProvider(new URI("user:///"), configuration);
        KeyAuthorizationKeyProvider.KeyACLs keyACLs = (KeyAuthorizationKeyProvider.KeyACLs) Mockito.mock(KeyAuthorizationKeyProvider.KeyACLs.class);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.isACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType.ALL))).thenReturn(true);
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("u1");
        UserGroupInformation createRemoteUser2 = UserGroupInformation.createRemoteUser("u2");
        UserGroupInformation createRemoteUser3 = UserGroupInformation.createRemoteUser("u3");
        UserGroupInformation createRemoteUser4 = UserGroupInformation.createRemoteUser("sudo");
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser2, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser3, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK))).thenReturn(true);
        Mockito.when(Boolean.valueOf(keyACLs.hasAccessToKey("testKey", createRemoteUser4, KeyAuthorizationKeyProvider.KeyOpType.ALL))).thenReturn(true);
        final KeyAuthorizationKeyProvider keyAuthorizationKeyProvider = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider), keyACLs);
        createRemoteUser4.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKeyAuthorizationKeyProvider.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                KeyProvider.Options newOptions = TestKeyAuthorizationKeyProvider.newOptions(configuration);
                HashMap hashMap = new HashMap();
                hashMap.put("key.acl.name", "testKey");
                newOptions.setAttributes(hashMap);
                KeyProvider.KeyVersion createKey = keyAuthorizationKeyProvider.createKey("foo", SecureRandom.getSeed(16), newOptions);
                keyAuthorizationKeyProvider.rollNewVersion(createKey.getName());
                keyAuthorizationKeyProvider.rollNewVersion(createKey.getName(), SecureRandom.getSeed(16));
                KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = keyAuthorizationKeyProvider.generateEncryptedKey(createKey.getName());
                keyAuthorizationKeyProvider.decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(generateEncryptedKey.getEncryptionKeyName() + "x", generateEncryptedKey.getEncryptionKeyVersionName(), generateEncryptedKey.getEncryptedKeyIv(), generateEncryptedKey.getEncryptedKeyVersion().getMaterial()));
                return null;
            }
        });
    }
}
