package org.apache.hadoop.hbase.regionserver;

import java.io.IOException;
import java.security.Key;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HColumnDescriptor;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.HTableDescriptor;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.Waiter;
import org.apache.hadoop.hbase.client.CompactionState;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.io.crypto.Encryption;
import org.apache.hadoop.hbase.io.crypto.KeyProviderForTesting;
import org.apache.hadoop.hbase.io.hfile.CacheConfig;
import org.apache.hadoop.hbase.io.hfile.HFile;
import org.apache.hadoop.hbase.master.assignment.MockMasterServices;
import org.apache.hadoop.hbase.security.EncryptionUtil;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.shaded.com.github.benmanes.caffeine.cache.LocalCacheFactory;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.RegionServerTests;
import org.apache.hadoop.hbase.util.Bytes;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.TestName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({RegionServerTests.class, MediumTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/regionserver/TestEncryptionKeyRotation.class */
public class TestEncryptionKeyRotation {

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestEncryptionKeyRotation.class);
    private static final Logger LOG = LoggerFactory.getLogger(TestEncryptionKeyRotation.class);
    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
    private static final Configuration conf = TEST_UTIL.getConfiguration();
    private static final Key initialCFKey;
    private static final Key secondCFKey;

    @Rule
    public TestName name = new TestName();

    @BeforeClass
    public static void setUp() throws Exception {
        conf.setInt(HFile.FORMAT_VERSION_KEY, 3);
        conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName());
        conf.set(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, "hbase");
        TEST_UTIL.startMiniCluster(1);
    }

    @AfterClass
    public static void tearDown() throws Exception {
        TEST_UTIL.shutdownMiniCluster();
    }

    @Test
    public void testCFKeyRotation() throws Exception {
        final HTableDescriptor hTableDescriptor = new HTableDescriptor(TableName.valueOf("default", this.name.getMethodName()));
        HColumnDescriptor hColumnDescriptor = new HColumnDescriptor(MockMasterServices.DEFAULT_COLUMN_FAMILY_NAME);
        hColumnDescriptor.setEncryptionType(conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES));
        hColumnDescriptor.setEncryptionKey(EncryptionUtil.wrapKey(conf, "hbase", initialCFKey));
        hTableDescriptor.addFamily(hColumnDescriptor);
        createTableAndFlush(hTableDescriptor);
        List<Path> findStorefilePaths = findStorefilePaths(hTableDescriptor.getTableName());
        Assert.assertTrue(findStorefilePaths.size() > 0);
        for (Path path : findStorefilePaths) {
            Assert.assertTrue("Store file " + path + " has incorrect key", Bytes.equals(initialCFKey.getEncoded(), extractHFileKey(path)));
        }
        HColumnDescriptor family = hTableDescriptor.getFamily(Bytes.toBytes(MockMasterServices.DEFAULT_COLUMN_FAMILY_NAME));
        family.setEncryptionKey(EncryptionUtil.wrapKey(conf, conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, User.getCurrent().getShortName()), secondCFKey));
        TEST_UTIL.getAdmin().modifyColumnFamily(hTableDescriptor.getTableName(), family);
        Thread.sleep(5000L);
        TEST_UTIL.getAdmin().majorCompact(hTableDescriptor.getTableName());
        TEST_UTIL.waitFor(30000L, new Waiter.Predicate<IOException>() { // from class: org.apache.hadoop.hbase.regionserver.TestEncryptionKeyRotation.1
            @Override // org.apache.hadoop.hbase.Waiter.Predicate
            public boolean evaluate() throws IOException {
                return TestEncryptionKeyRotation.TEST_UTIL.getAdmin().getCompactionState(hTableDescriptor.getTableName()) == CompactionState.NONE;
            }
        });
        List<Path> findStorefilePaths2 = findStorefilePaths(hTableDescriptor.getTableName());
        Assert.assertTrue(findStorefilePaths2.size() > 0);
        for (Path path2 : findStorefilePaths2) {
            Assert.assertTrue("Store file " + path2 + " has incorrect key", Bytes.equals(secondCFKey.getEncoded(), extractHFileKey(path2)));
        }
        List<Path> findCompactedStorefilePaths = findCompactedStorefilePaths(hTableDescriptor.getTableName());
        Assert.assertTrue(findCompactedStorefilePaths.size() > 0);
        for (Path path3 : findCompactedStorefilePaths) {
            Assert.assertTrue("Store file " + path3 + " retains initial key", Bytes.equals(initialCFKey.getEncoded(), extractHFileKey(path3)));
        }
    }

    @Test
    public void testMasterKeyRotation() throws Exception {
        HTableDescriptor hTableDescriptor = new HTableDescriptor(TableName.valueOf("default", this.name.getMethodName()));
        HColumnDescriptor hColumnDescriptor = new HColumnDescriptor(MockMasterServices.DEFAULT_COLUMN_FAMILY_NAME);
        hColumnDescriptor.setEncryptionType(conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES));
        hColumnDescriptor.setEncryptionKey(EncryptionUtil.wrapKey(conf, "hbase", initialCFKey));
        hTableDescriptor.addFamily(hColumnDescriptor);
        createTableAndFlush(hTableDescriptor);
        List<Path> findStorefilePaths = findStorefilePaths(hTableDescriptor.getTableName());
        Assert.assertTrue(findStorefilePaths.size() > 0);
        for (Path path : findStorefilePaths) {
            Assert.assertTrue("Store file " + path + " has incorrect key", Bytes.equals(initialCFKey.getEncoded(), extractHFileKey(path)));
        }
        TEST_UTIL.shutdownMiniHBaseCluster();
        conf.set(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, "other");
        conf.set(HConstants.CRYPTO_MASTERKEY_ALTERNATE_NAME_CONF_KEY, "hbase");
        TEST_UTIL.startMiniHBaseCluster();
        TEST_UTIL.waitTableAvailable(hTableDescriptor.getTableName(), 5000L);
        List<Path> findStorefilePaths2 = findStorefilePaths(hTableDescriptor.getTableName());
        Assert.assertTrue(findStorefilePaths2.size() > 0);
        for (Path path2 : findStorefilePaths2) {
            Assert.assertTrue("Store file " + path2 + " has incorrect key", Bytes.equals(initialCFKey.getEncoded(), extractHFileKey(path2)));
        }
    }

    private static List<Path> findStorefilePaths(TableName tableName) throws Exception {
        ArrayList arrayList = new ArrayList();
        Iterator<HRegion> it = TEST_UTIL.getRSForFirstRegionInTable(tableName).getRegions(tableName).iterator();
        while (it.hasNext()) {
            Iterator<HStore> it2 = it.next().getStores().iterator();
            while (it2.hasNext()) {
                Iterator<HStoreFile> it3 = it2.next().getStorefiles().iterator();
                while (it3.hasNext()) {
                    arrayList.add(it3.next().getPath());
                }
            }
        }
        return arrayList;
    }

    private static List<Path> findCompactedStorefilePaths(TableName tableName) throws Exception {
        ArrayList arrayList = new ArrayList();
        Iterator<HRegion> it = TEST_UTIL.getRSForFirstRegionInTable(tableName).getRegions(tableName).iterator();
        while (it.hasNext()) {
            Iterator<HStore> it2 = it.next().getStores().iterator();
            while (it2.hasNext()) {
                Collection<HStoreFile> compactedfiles = it2.next().getStoreEngine().getStoreFileManager().getCompactedfiles();
                if (compactedfiles != null) {
                    Iterator<HStoreFile> it3 = compactedfiles.iterator();
                    while (it3.hasNext()) {
                        arrayList.add(it3.next().getPath());
                    }
                }
            }
        }
        return arrayList;
    }

    private void createTableAndFlush(HTableDescriptor hTableDescriptor) throws Exception {
        HColumnDescriptor next = hTableDescriptor.getFamilies().iterator().next();
        TEST_UTIL.getAdmin().createTable(hTableDescriptor);
        TEST_UTIL.waitTableAvailable(hTableDescriptor.getTableName(), 5000L);
        Table table = TEST_UTIL.getConnection().getTable(hTableDescriptor.getTableName());
        try {
            table.put(new Put(Bytes.toBytes("testrow")).addColumn(next.getName(), Bytes.toBytes("q"), Bytes.toBytes(LocalCacheFactory.VALUE)));
            table.close();
            TEST_UTIL.getAdmin().flush(hTableDescriptor.getTableName());
        } catch (Throwable th) {
            table.close();
            throw th;
        }
    }

    private static byte[] extractHFileKey(Path path) throws Exception {
        HFile.Reader createReader = HFile.createReader(TEST_UTIL.getTestFileSystem(), path, new CacheConfig(conf), true, conf);
        try {
            Encryption.Context encryptionContext = createReader.getFileContext().getEncryptionContext();
            Assert.assertNotNull("Reader has a null crypto context", encryptionContext);
            Key key = encryptionContext.getKey();
            Assert.assertNotNull("Crypto context has no key", key);
            byte[] encoded = key.getEncoded();
            createReader.close();
            return encoded;
        } catch (Throwable th) {
            createReader.close();
            throw th;
        }
    }

    static {
        byte[] bArr = new byte[16];
        Bytes.secureRandom(bArr);
        String str = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
        initialCFKey = new SecretKeySpec(bArr, str);
        Bytes.secureRandom(bArr);
        secondCFKey = new SecretKeySpec(bArr, str);
    }
}
