package org.apache.hadoop.hdfs;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.MiniKMS;
import org.apache.hadoop.fs.FileSystemTestHelper;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:org/apache/hadoop/hdfs/TestAclsEndToEnd.class */
public class TestAclsEndToEnd {
    private static final String TEXT = "The blue zone is for loading and unloading only. Please park in the red zone.";
    private static final String KEY1 = "key1";
    private static final String KEY2 = "key2";
    private static final String KEY3 = "key3";
    private static UserGroupInformation realUgi;
    private static String realUser;
    private MiniKMS miniKMS;
    private File kmsDir;
    private MiniDFSCluster cluster;
    private DistributedFileSystem fs;
    private static final Log LOG = LogFactory.getLog(TestAclsEndToEnd.class.getName());
    private static final Path ZONE1 = new Path("/tmp/BLUEZONE");
    private static final Path ZONE2 = new Path("/tmp/REDZONE");
    private static final Path ZONE3 = new Path("/tmp/LOADINGZONE");
    private static final Path ZONE4 = new Path("/tmp/UNLOADINGZONE");
    private static final Path FILE1 = new Path(ZONE1, "file1");
    private static final Path FILE1A = new Path(ZONE1, "file1a");
    private static final Path FILE2 = new Path(ZONE2, "file2");
    private static final Path FILE3 = new Path(ZONE3, "file3");
    private static final Path FILE4 = new Path(ZONE4, "file4");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hdfs/TestAclsEndToEnd$UserOp.class */
    public interface UserOp {
        void execute() throws IOException;
    }

    @BeforeClass
    public static void captureUser() throws IOException {
        realUgi = UserGroupInformation.getCurrentUser();
        realUser = System.getProperty("user.name");
    }

    private String getKeyProviderURI() {
        return "kms://" + this.miniKMS.getKMSUrl().toExternalForm().replace("://", "@");
    }

    private void writeConf(File file, Configuration configuration) throws IOException {
        configuration.set("hadoop.kms.key.provider.uri", "jceks://file@" + new Path(this.kmsDir.getAbsolutePath(), "kms.keystore").toUri());
        configuration.set("hadoop.kms.authentication.type", "simple");
        FileWriter fileWriter = new FileWriter(new File(file, "kms-site.xml"));
        configuration.writeXml(fileWriter);
        fileWriter.close();
        FileWriter fileWriter2 = new FileWriter(new File(file, "kms-acls.xml"));
        configuration.writeXml(fileWriter2);
        fileWriter2.close();
        FileWriter fileWriter3 = new FileWriter(new File(file, YarnConfiguration.CORE_SITE_CONFIGURATION_FILE));
        new Configuration(false).writeXml(fileWriter3);
        fileWriter3.close();
    }

    private void setup(Configuration configuration) throws Exception {
        setup(configuration, true, true);
    }

    private void setup(Configuration configuration, boolean z) throws Exception {
        setup(configuration, z, true);
    }

    private void setup(Configuration configuration, boolean z, boolean z2) throws Exception {
        if (z) {
            this.kmsDir = new File(new FileSystemTestHelper().getTestRootDir()).getAbsoluteFile();
            Assert.assertTrue(this.kmsDir.mkdirs());
        }
        writeConf(this.kmsDir, configuration);
        this.miniKMS = new MiniKMS.Builder().setKmsConfDir(this.kmsDir).build();
        this.miniKMS.start();
        HdfsConfiguration hdfsConfiguration = new HdfsConfiguration();
        hdfsConfiguration.set("hadoop.proxyuser." + realUser + ".users", "keyadmin,hdfs,user");
        hdfsConfiguration.set("hadoop.proxyuser." + realUser + ".hosts", "*");
        hdfsConfiguration.set("hadoop.security.key.provider.path", getKeyProviderURI());
        hdfsConfiguration.setBoolean(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
        this.cluster = new MiniDFSCluster.Builder(hdfsConfiguration).numDataNodes(1).format(z2).build();
        this.fs = this.cluster.getFileSystem();
    }

    private void teardown() {
        UserGroupInformation.setLoginUser(realUgi);
        if (this.cluster != null) {
            this.cluster.shutdown();
        }
        this.miniKMS.stop();
    }

    private static Configuration getBaseConf(UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2) {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.kms.acl.CREATE", userGroupInformation2.getUserName());
        configuration.set("hadoop.kms.acl.DELETE", userGroupInformation2.getUserName());
        configuration.set("hadoop.kms.acl.ROLLOVER", userGroupInformation2.getUserName());
        configuration.set("hadoop.kms.acl.GET", " ");
        configuration.set("hadoop.kms.acl.GET_KEYS", userGroupInformation2.getUserName());
        configuration.set("hadoop.kms.acl.GET_METADATA", userGroupInformation.getUserName());
        configuration.set("hadoop.kms.acl.SET_KEY_MATERIAL", " ");
        configuration.set("hadoop.kms.acl.GENERATE_EEK", userGroupInformation.getUserName());
        configuration.set("hadoop.kms.acl.DECRYPT_EEK", "*");
        return configuration;
    }

    private static void setBlacklistAcls(Configuration configuration, UserGroupInformation userGroupInformation) {
        configuration.set("hadoop.kms.blacklist.CREATE", userGroupInformation.getUserName());
        configuration.set("hadoop.kms.blacklist.DELETE", userGroupInformation.getUserName());
        configuration.set("hadoop.kms.blacklist.ROLLOVER", userGroupInformation.getUserName());
        configuration.set("hadoop.kms.blacklist.GET", "*");
        configuration.set("hadoop.kms.blacklist.SET_KEY_MATERIAL", "*");
        configuration.set("hadoop.kms.blacklist.DECRYPT_EEK", userGroupInformation.getUserName());
    }

    private static void setKeyAcls(Configuration configuration, String str, UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2, UserGroupInformation userGroupInformation3) {
        configuration.set(str + "MANAGEMENT", userGroupInformation2.getUserName());
        configuration.set(str + "READ", userGroupInformation.getUserName());
        configuration.set(str + "GENERATE_EEK", userGroupInformation.getUserName());
        configuration.set("key.acl.key1.DECRYPT_EEK", userGroupInformation3.getUserName());
    }

    @Test
    public void testGoodWithWhitelist() throws Exception {
        UserGroupInformation createProxyUserForTesting = UserGroupInformation.createProxyUserForTesting("hdfs", realUgi, new String[]{DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT});
        UserGroupInformation createProxyUserForTesting2 = UserGroupInformation.createProxyUserForTesting("keyadmin", realUgi, new String[]{"keyadmin"});
        UserGroupInformation createProxyUserForTesting3 = UserGroupInformation.createProxyUserForTesting("user", realUgi, new String[]{"staff"});
        Configuration baseConf = getBaseConf(createProxyUserForTesting, createProxyUserForTesting2);
        setBlacklistAcls(baseConf, createProxyUserForTesting);
        setKeyAcls(baseConf, "whitelist.key.acl.", createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
        doFullAclTest(baseConf, createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
    }

    @Test
    public void testGoodWithKeyAcls() throws Exception {
        UserGroupInformation createProxyUserForTesting = UserGroupInformation.createProxyUserForTesting("hdfs", realUgi, new String[]{DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT});
        UserGroupInformation createProxyUserForTesting2 = UserGroupInformation.createProxyUserForTesting("keyadmin", realUgi, new String[]{"keyadmin"});
        UserGroupInformation createProxyUserForTesting3 = UserGroupInformation.createProxyUserForTesting("user", realUgi, new String[]{"staff"});
        Configuration baseConf = getBaseConf(createProxyUserForTesting, createProxyUserForTesting2);
        setBlacklistAcls(baseConf, createProxyUserForTesting);
        setKeyAcls(baseConf, "key.acl.key1.", createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
        doFullAclTest(baseConf, createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
    }

    @Test
    public void testGoodWithWhitelistWithoutBlacklist() throws Exception {
        UserGroupInformation createProxyUserForTesting = UserGroupInformation.createProxyUserForTesting("hdfs", realUgi, new String[]{DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT});
        UserGroupInformation createProxyUserForTesting2 = UserGroupInformation.createProxyUserForTesting("keyadmin", realUgi, new String[]{"keyadmin"});
        UserGroupInformation createProxyUserForTesting3 = UserGroupInformation.createProxyUserForTesting("user", realUgi, new String[]{"staff"});
        Configuration baseConf = getBaseConf(createProxyUserForTesting, createProxyUserForTesting2);
        setKeyAcls(baseConf, "whitelist.key.acl.", createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
        doFullAclTest(baseConf, createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
    }

    @Test
    public void testGoodWithKeyAclsWithoutBlacklist() throws Exception {
        UserGroupInformation createProxyUserForTesting = UserGroupInformation.createProxyUserForTesting("hdfs", realUgi, new String[]{DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT});
        UserGroupInformation createProxyUserForTesting2 = UserGroupInformation.createProxyUserForTesting("keyadmin", realUgi, new String[]{"keyadmin"});
        UserGroupInformation createProxyUserForTesting3 = UserGroupInformation.createProxyUserForTesting("user", realUgi, new String[]{"staff"});
        Configuration baseConf = getBaseConf(createProxyUserForTesting, createProxyUserForTesting2);
        setKeyAcls(baseConf, "key.acl.key1.", createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
        doFullAclTest(baseConf, createProxyUserForTesting, createProxyUserForTesting2, createProxyUserForTesting3);
    }

    private void doFullAclTest(Configuration configuration, UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2, UserGroupInformation userGroupInformation3) throws Exception {
        try {
            setup(configuration);
            Assert.assertTrue("Exception during creation of key key1 by " + userGroupInformation2.getUserName(), createKey(userGroupInformation2, KEY1, configuration));
            Assert.assertFalse("Allowed creation of key key2 by " + userGroupInformation.getUserName(), createKey(userGroupInformation, KEY2, configuration));
            Assert.assertFalse("Allowed creation of key key2 by " + userGroupInformation3.getUserName(), createKey(userGroupInformation3, KEY2, configuration));
            this.fs.mkdirs(ZONE1);
            this.fs.setOwner(ZONE1, userGroupInformation3.getUserName(), userGroupInformation3.getPrimaryGroupName());
            Assert.assertTrue("Exception during creation of EZ " + ZONE1 + " by " + userGroupInformation.getUserName() + " using key " + KEY1, createEncryptionZone(userGroupInformation, KEY1, ZONE1));
            Assert.assertFalse("Allowed creation of EZ " + ZONE2 + " by " + userGroupInformation2.getUserName() + " using key " + KEY1, createEncryptionZone(userGroupInformation2, KEY1, ZONE2));
            Assert.assertFalse("Allowed creation of EZ " + ZONE2 + " by " + userGroupInformation3.getUserName() + " using key " + KEY1, createEncryptionZone(userGroupInformation3, KEY1, ZONE2));
            Assert.assertTrue("Exception during creation of file " + FILE1 + " by " + userGroupInformation3.getUserName(), createFile(userGroupInformation3, FILE1, TEXT));
            Assert.assertFalse("Allowed creation of file " + FILE1A + " by " + userGroupInformation.getUserName(), createFile(userGroupInformation, FILE1A, TEXT));
            Assert.assertFalse("Allowed creation of file " + FILE1A + " by " + userGroupInformation2.getUserName(), createFile(userGroupInformation2, FILE1A, TEXT));
            Assert.assertTrue("Exception while reading file " + FILE1 + " by " + userGroupInformation3.getUserName(), compareFile(userGroupInformation3, FILE1, TEXT));
            Assert.assertFalse("Allowed reading of file " + FILE1 + " by " + userGroupInformation.getUserName(), compareFile(userGroupInformation, FILE1, TEXT));
            Assert.assertFalse("Allowed reading of file " + FILE1 + " by " + userGroupInformation2.getUserName(), compareFile(userGroupInformation2, FILE1, TEXT));
            this.fs.delete(ZONE1, true);
            Assert.assertFalse("Allowed deletion of file " + FILE1 + " by " + userGroupInformation.getUserName(), deleteKey(userGroupInformation, KEY1));
            Assert.assertFalse("Allowed deletion of file " + FILE1 + " by " + userGroupInformation3.getUserName(), deleteKey(userGroupInformation3, KEY1));
            Assert.assertTrue("Exception during deletion of file " + FILE1 + " by " + userGroupInformation2.getUserName(), deleteKey(userGroupInformation2, KEY1));
            this.fs.delete(ZONE1, true);
            this.fs.delete(ZONE2, true);
            teardown();
        } catch (Throwable th) {
            this.fs.delete(ZONE1, true);
            this.fs.delete(ZONE2, true);
            teardown();
            throw th;
        }
    }

    @Test
    public void testCreateKey() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
        configuration.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
        try {
            setup(configuration);
            Assert.assertTrue("Exception during key creation with correct config using whitelist key ACLs", createKey(realUgi, KEY1, configuration));
            teardown();
            Configuration configuration2 = new Configuration();
            configuration2.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
            configuration2.set("default.key.acl.MANAGEMENT", realUgi.getUserName());
            try {
                setup(configuration2);
                Assert.assertTrue("Exception during key creation with correct config using default key ACLs", createKey(realUgi, KEY2, configuration2));
                teardown();
                Configuration configuration3 = new Configuration();
                configuration3.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
                configuration3.set("hadoop.kms.blacklist.CREATE", realUgi.getUserName());
                configuration3.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
                try {
                    setup(configuration3);
                    Assert.assertFalse("Allowed key creation with blacklist for CREATE", createKey(realUgi, KEY3, configuration3));
                    teardown();
                    Configuration configuration4 = new Configuration();
                    configuration4.set("hadoop.kms.acl.CREATE", " ");
                    configuration4.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
                    try {
                        setup(configuration4);
                        Assert.assertFalse("Allowed key creation without CREATE KMS ACL", createKey(realUgi, KEY3, configuration4));
                        teardown();
                        Configuration configuration5 = new Configuration();
                        configuration5.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
                        try {
                            setup(configuration5);
                            Assert.assertFalse("Allowed key creation without MANAGMENT key ACL", createKey(realUgi, KEY3, configuration5));
                            teardown();
                            Configuration configuration6 = new Configuration();
                            configuration6.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
                            configuration6.set("default.key.acl.MANAGEMENT", realUgi.getUserName());
                            configuration6.set("key.acl.key3.DECRYPT_EEK", realUgi.getUserName());
                            try {
                                setup(configuration6);
                                Assert.assertFalse("Allowed key creation when default key ACL should have been overridden by key ACL", createKey(realUgi, KEY3, configuration6));
                                teardown();
                                Configuration configuration7 = new Configuration();
                                configuration7.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
                                try {
                                    setup(configuration7);
                                    Assert.assertTrue("Exception during key creation with default KMS ACLs", createKey(realUgi, KEY3, configuration7));
                                    teardown();
                                } finally {
                                    teardown();
                                }
                            } finally {
                                teardown();
                            }
                        } finally {
                            teardown();
                        }
                    } finally {
                        teardown();
                    }
                } finally {
                    teardown();
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testCreateEncryptionZone() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
        configuration.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
        try {
            setup(configuration);
            Assert.assertTrue("Exception during key creation", createKey(realUgi, KEY1, configuration));
            teardown();
            Configuration configuration2 = new Configuration();
            configuration2.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
            configuration2.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
            configuration2.set("whitelist.key.acl.READ", realUgi.getUserName());
            configuration2.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
            try {
                setup(configuration2, false);
                this.fs.mkdirs(ZONE1);
                Assert.assertTrue("Exception during zone creation with correct config using whitelist key ACLs", createEncryptionZone(realUgi, KEY1, ZONE1));
                this.fs.delete(ZONE1, true);
                teardown();
                Configuration configuration3 = new Configuration();
                configuration3.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                configuration3.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                configuration3.set("default.key.acl.READ", realUgi.getUserName());
                configuration3.set("default.key.acl.GENERATE_EEK", realUgi.getUserName());
                try {
                    setup(configuration3, false);
                    this.fs.mkdirs(ZONE2);
                    Assert.assertTrue("Exception during zone creation with correct config using default key ACLs", createEncryptionZone(realUgi, KEY1, ZONE2));
                    this.fs.delete(ZONE2, true);
                    teardown();
                    Configuration configuration4 = new Configuration();
                    configuration4.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                    configuration4.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                    configuration4.set("default.key.acl.READ", realUgi.getUserName());
                    configuration4.set("default.key.acl.GENERATE_EEK", realUgi.getUserName());
                    configuration4.set("key.acl.key1.DECRYPT_EEK", realUgi.getUserName());
                    try {
                        setup(configuration4, false);
                        this.fs.mkdirs(ZONE3);
                        Assert.assertFalse("Allowed creation of zone when default key ACLs should have been overridden by key ACL", createEncryptionZone(realUgi, KEY1, ZONE3));
                        this.fs.delete(ZONE3, true);
                        teardown();
                        Configuration configuration5 = new Configuration();
                        configuration5.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                        configuration5.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                        configuration5.set("hadoop.kms.blacklist.GET_METADATA", realUgi.getUserName());
                        configuration5.set("whitelist.key.acl.READ", realUgi.getUserName());
                        configuration5.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                        try {
                            setup(configuration5, false);
                            this.fs.mkdirs(ZONE3);
                            Assert.assertFalse("Allowed zone creation of zone with blacklisted GET_METADATA", createEncryptionZone(realUgi, KEY1, ZONE3));
                            this.fs.delete(ZONE3, true);
                            teardown();
                            Configuration configuration6 = new Configuration();
                            configuration6.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                            configuration6.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                            configuration6.set("hadoop.kms.blacklist.GENERATE_EEK", realUgi.getUserName());
                            configuration6.set("whitelist.key.acl.READ", realUgi.getUserName());
                            configuration6.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                            try {
                                setup(configuration6, false);
                                this.fs.mkdirs(ZONE3);
                                Assert.assertFalse("Allowed zone creation of zone with blacklisted GENERATE_EEK", createEncryptionZone(realUgi, KEY1, ZONE3));
                                this.fs.delete(ZONE3, true);
                                teardown();
                                Configuration configuration7 = new Configuration();
                                configuration7.set("whitelist.key.acl.READ", realUgi.getUserName());
                                configuration7.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                try {
                                    setup(configuration7, false);
                                    this.fs.mkdirs(ZONE3);
                                    Assert.assertTrue("Exception during zone creation with default KMS ACLs", createEncryptionZone(realUgi, KEY1, ZONE3));
                                    this.fs.delete(ZONE3, true);
                                    teardown();
                                    Configuration configuration8 = new Configuration();
                                    configuration8.set("hadoop.kms.acl.GET_METADATA", " ");
                                    configuration8.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                    configuration8.set("whitelist.key.acl.READ", realUgi.getUserName());
                                    configuration8.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                    try {
                                        setup(configuration8, false);
                                        this.fs.mkdirs(ZONE4);
                                        Assert.assertFalse("Allowed zone creation without GET_METADATA KMS ACL", createEncryptionZone(realUgi, KEY1, ZONE4));
                                        this.fs.delete(ZONE4, true);
                                        teardown();
                                        Configuration configuration9 = new Configuration();
                                        configuration9.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                                        configuration9.set("hadoop.kms.acl.GENERATE_EEK", " ");
                                        configuration9.set("whitelist.key.acl.READ", realUgi.getUserName());
                                        configuration9.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                        try {
                                            setup(configuration9, false);
                                            this.fs.mkdirs(ZONE4);
                                            Assert.assertFalse("Allowed zone creation without GENERATE_EEK KMS ACL", createEncryptionZone(realUgi, KEY1, ZONE4));
                                            this.fs.delete(ZONE4, true);
                                            teardown();
                                            Configuration configuration10 = new Configuration();
                                            configuration10.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                                            configuration10.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                            configuration10.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                            try {
                                                setup(configuration10, false);
                                                this.fs.mkdirs(ZONE4);
                                                Assert.assertFalse("Allowed zone creation without READ ACL", createEncryptionZone(realUgi, KEY1, ZONE4));
                                                this.fs.delete(ZONE4, true);
                                                teardown();
                                                Configuration configuration11 = new Configuration();
                                                configuration11.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
                                                configuration11.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                                configuration11.set("whitelist.key.acl.READ", realUgi.getUserName());
                                                try {
                                                    setup(configuration11, false);
                                                    this.fs.mkdirs(ZONE4);
                                                    Assert.assertFalse("Allowed zone creation without GENERATE_EEK ACL", createEncryptionZone(realUgi, KEY1, ZONE4));
                                                    this.fs.delete(ZONE4, true);
                                                    teardown();
                                                } finally {
                                                    this.fs.delete(ZONE4, true);
                                                    teardown();
                                                }
                                            } finally {
                                                this.fs.delete(ZONE4, true);
                                                teardown();
                                            }
                                        } finally {
                                        }
                                    } finally {
                                    }
                                } finally {
                                    this.fs.delete(ZONE3, true);
                                    teardown();
                                }
                            } finally {
                                this.fs.delete(ZONE3, true);
                                teardown();
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (Throwable th) {
                    this.fs.delete(ZONE2, true);
                    teardown();
                    throw th;
                }
            } catch (Throwable th2) {
                this.fs.delete(ZONE1, true);
                teardown();
                throw th2;
            }
        } catch (Throwable th3) {
            teardown();
            throw th3;
        }
    }

    @Test
    public void testCreateFileInEncryptionZone() throws Exception {
        Configuration configuration;
        Configuration configuration2 = new Configuration();
        configuration2.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
        configuration2.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
        configuration2.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
        configuration2.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
        configuration2.set("whitelist.key.acl.READ", realUgi.getUserName());
        configuration2.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
        Assert.assertTrue(new File(this.kmsDir, "kms.keystore").length() == 0);
        try {
            try {
                setup(configuration2);
                Assert.assertTrue("Exception during key creation", createKey(realUgi, KEY1, configuration2));
                this.fs.mkdirs(ZONE1);
                Assert.assertTrue("Exception during zone creation", createEncryptionZone(realUgi, KEY1, ZONE1));
                this.fs.mkdirs(ZONE2);
                Assert.assertTrue("Exception during zone creation", createEncryptionZone(realUgi, KEY1, ZONE2));
                this.fs.mkdirs(ZONE3);
                Assert.assertTrue("Exception during zone creation", createEncryptionZone(realUgi, KEY1, ZONE3));
                this.fs.mkdirs(ZONE4);
                Assert.assertTrue("Exception during zone creation", createEncryptionZone(realUgi, KEY1, ZONE4));
                teardown();
                Configuration configuration3 = new Configuration();
                configuration3.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                configuration3.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                configuration3.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                configuration3.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                try {
                    setup(configuration3, false, false);
                    Assert.assertTrue("Exception during file creation with correct config using whitelist ACL", createFile(realUgi, FILE1, TEXT));
                    this.fs.delete(ZONE1, true);
                    teardown();
                    Configuration configuration4 = new Configuration();
                    configuration4.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                    configuration4.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                    configuration4.set("default.key.acl.GENERATE_EEK", realUgi.getUserName());
                    configuration4.set("default.key.acl.DECRYPT_EEK", realUgi.getUserName());
                    try {
                        setup(configuration4, false, false);
                        Assert.assertTrue("Exception during file creation with correct config using whitelist ACL", createFile(realUgi, FILE2, TEXT));
                        this.fs.delete(ZONE2, true);
                        teardown();
                        Configuration configuration5 = new Configuration();
                        configuration5.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                        configuration5.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                        configuration5.set("default.key.acl.GENERATE_EEK", realUgi.getUserName());
                        configuration5.set("default.key.acl.DECRYPT_EEK", realUgi.getUserName());
                        configuration5.set("key.acl.key1.READ", realUgi.getUserName());
                        try {
                            try {
                                setup(configuration5, false, false);
                                Assert.assertFalse("Allowed file creation when default key ACLs should have been overridden by key ACL", createFile(realUgi, FILE3, TEXT));
                                teardown();
                                Configuration configuration6 = new Configuration();
                                configuration6.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                configuration6.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                                configuration6.set("hadoop.kms.blacklist.GENERATE_EEK", realUgi.getUserName());
                                configuration6.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                configuration6.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                try {
                                    try {
                                        setup(configuration6, false, false);
                                        Assert.assertFalse("Allowed file creation with blacklist for GENERATE_EEK", createFile(realUgi, FILE3, TEXT));
                                        teardown();
                                        Configuration configuration7 = new Configuration();
                                        configuration7.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                        configuration7.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                                        configuration7.set("hadoop.kms.blacklist.DECRYPT_EEK", realUgi.getUserName());
                                        configuration7.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                        configuration7.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                        try {
                                            try {
                                                setup(configuration7, false, false);
                                                Assert.assertFalse("Allowed file creation with blacklist for DECRYPT_EEK", createFile(realUgi, FILE3, TEXT));
                                                teardown();
                                                Configuration configuration8 = new Configuration();
                                                configuration8.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                                configuration8.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                                try {
                                                    try {
                                                        setup(configuration8, false, false);
                                                        Assert.assertTrue("Exception during file creation with default KMS ACLs", createFile(realUgi, FILE3, TEXT));
                                                        teardown();
                                                        Configuration configuration9 = new Configuration();
                                                        configuration9.set("hadoop.kms.acl.GENERATE_EEK", " ");
                                                        configuration9.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                                                        configuration9.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                                        configuration9.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                                        try {
                                                            try {
                                                                setup(configuration9, false, false);
                                                                Assert.assertFalse("Allowed file creation without GENERATE_EEK KMS ACL", createFile(realUgi, FILE4, TEXT));
                                                                teardown();
                                                                Configuration configuration10 = new Configuration();
                                                                configuration10.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                                                configuration10.set("hadoop.kms.acl.DECRYPT_EEK", " ");
                                                                configuration10.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                                                configuration10.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                                                try {
                                                                    try {
                                                                        setup(configuration10, false, false);
                                                                        Assert.assertFalse("Allowed file creation without DECRYPT_EEK KMS ACL", createFile(realUgi, FILE3, TEXT));
                                                                        teardown();
                                                                        Configuration configuration11 = new Configuration();
                                                                        configuration11.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                                                        configuration11.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                                                                        configuration11.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                                                        try {
                                                                            try {
                                                                                setup(configuration11, false, false);
                                                                                Assert.assertFalse("Allowed file creation without GENERATE_EEK key ACL", createFile(realUgi, FILE3, TEXT));
                                                                                teardown();
                                                                                configuration = new Configuration();
                                                                                configuration.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
                                                                                configuration.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                                                                                configuration.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
                                                                            } catch (Exception e) {
                                                                                this.fs.delete(ZONE3, true);
                                                                                throw e;
                                                                            }
                                                                            try {
                                                                                try {
                                                                                    setup(configuration, false, false);
                                                                                    Assert.assertFalse("Allowed file creation without DECRYPT_EEK key ACL", createFile(realUgi, FILE3, TEXT));
                                                                                    teardown();
                                                                                } catch (Exception e2) {
                                                                                    this.fs.delete(ZONE3, true);
                                                                                    throw e2;
                                                                                }
                                                                            } finally {
                                                                                teardown();
                                                                            }
                                                                        } finally {
                                                                            teardown();
                                                                        }
                                                                    } catch (Exception e3) {
                                                                        this.fs.delete(ZONE3, true);
                                                                        throw e3;
                                                                    }
                                                                } finally {
                                                                    teardown();
                                                                }
                                                            } finally {
                                                                teardown();
                                                            }
                                                        } catch (Exception e4) {
                                                            this.fs.delete(ZONE3, true);
                                                            throw e4;
                                                        }
                                                    } finally {
                                                        teardown();
                                                    }
                                                } catch (Exception e5) {
                                                    this.fs.delete(ZONE3, true);
                                                    throw e5;
                                                }
                                            } finally {
                                                teardown();
                                            }
                                        } catch (Exception e6) {
                                            this.fs.delete(ZONE3, true);
                                            throw e6;
                                        }
                                    } catch (Exception e7) {
                                        this.fs.delete(ZONE3, true);
                                        throw e7;
                                    }
                                } finally {
                                    teardown();
                                }
                            } finally {
                            }
                        } catch (Exception e8) {
                            this.fs.delete(ZONE3, true);
                            throw e8;
                        }
                    } catch (Throwable th) {
                        this.fs.delete(ZONE2, true);
                        teardown();
                        throw th;
                    }
                } catch (Throwable th2) {
                    this.fs.delete(ZONE1, true);
                    teardown();
                    throw th2;
                }
            } finally {
            }
        } catch (Throwable th3) {
            this.fs.delete(ZONE1, true);
            this.fs.delete(ZONE2, true);
            this.fs.delete(ZONE3, true);
            this.fs.delete(ZONE4, true);
            throw th3;
        }
    }

    @Test
    public void testReadFileInEncryptionZone() throws Exception {
        Configuration configuration;
        Configuration configuration2;
        Configuration configuration3;
        Configuration configuration4 = new Configuration();
        configuration4.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
        configuration4.set("hadoop.kms.acl.GET_METADATA", realUgi.getUserName());
        configuration4.set("hadoop.kms.acl.GENERATE_EEK", realUgi.getUserName());
        configuration4.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
        configuration4.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
        configuration4.set("whitelist.key.acl.READ", realUgi.getUserName());
        configuration4.set("whitelist.key.acl.GENERATE_EEK", realUgi.getUserName());
        configuration4.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
        Assert.assertTrue(new File(this.kmsDir, "kms.keystore").length() == 0);
        try {
            try {
                setup(configuration4);
                Assert.assertTrue("Exception during key creation", createKey(realUgi, KEY1, configuration4));
                this.fs.mkdirs(ZONE1);
                Assert.assertTrue("Exception during zone creation", createEncryptionZone(realUgi, KEY1, ZONE1));
                Assert.assertTrue("Exception during file creation", createFile(realUgi, FILE1, TEXT));
                teardown();
                Configuration configuration5 = new Configuration();
                configuration5.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                configuration5.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                try {
                    try {
                        setup(configuration5, false, false);
                        Assert.assertTrue("Exception while reading file with correct config with whitelist ACLs", compareFile(realUgi, FILE1, TEXT));
                        teardown();
                        configuration = new Configuration();
                        configuration.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                        configuration.set("default.key.acl.DECRYPT_EEK", realUgi.getUserName());
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
            try {
                try {
                    setup(configuration, false, false);
                    Assert.assertTrue("Exception while reading file with correct config with default ACLs", compareFile(realUgi, FILE1, TEXT));
                    teardown();
                    Configuration configuration6 = new Configuration();
                    configuration6.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                    configuration6.set("default.key.acl.DECRYPT_EEK", realUgi.getUserName());
                    configuration6.set("key.acl.key1.READ", realUgi.getUserName());
                    try {
                        try {
                            setup(configuration6, false, false);
                            Assert.assertFalse("Allowed file read when default key ACLs should have been overridden by key ACL", compareFile(realUgi, FILE1, TEXT));
                            teardown();
                            configuration2 = new Configuration();
                            configuration2.set("hadoop.kms.acl.DECRYPT_EEK", realUgi.getUserName());
                            configuration2.set("hadoop.kms.blacklist.DECRYPT_EEK", realUgi.getUserName());
                            configuration2.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                        } finally {
                        }
                        try {
                            try {
                                setup(configuration2, false, false);
                                Assert.assertFalse("Allowed file read with blacklist for DECRYPT_EEK", compareFile(realUgi, FILE1, TEXT));
                                teardown();
                                configuration3 = new Configuration();
                                configuration3.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                            } finally {
                            }
                            try {
                                try {
                                    setup(configuration3, false, false);
                                    Assert.assertTrue("Exception while reading file with default KMS ACLs", compareFile(realUgi, FILE1, TEXT));
                                    teardown();
                                    Configuration configuration7 = new Configuration();
                                    configuration7.set("hadoop.kms.acl.DECRYPT_EEK", " ");
                                    configuration7.set("whitelist.key.acl.DECRYPT_EEK", realUgi.getUserName());
                                    try {
                                        try {
                                            setup(configuration7, false, false);
                                            Assert.assertFalse("Allowed file read without DECRYPT_EEK KMS ACL", compareFile(realUgi, FILE1, TEXT));
                                            teardown();
                                            try {
                                                try {
                                                    setup(new Configuration(), false, false);
                                                    Assert.assertFalse("Allowed file read without DECRYPT_EEK key ACL", compareFile(realUgi, FILE1, TEXT));
                                                    teardown();
                                                } finally {
                                                }
                                            } finally {
                                                teardown();
                                            }
                                        } finally {
                                        }
                                    } finally {
                                        teardown();
                                    }
                                } finally {
                                }
                            } finally {
                                teardown();
                            }
                        } finally {
                            teardown();
                        }
                    } finally {
                        teardown();
                    }
                } finally {
                    teardown();
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testDeleteKey() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.kms.acl.CREATE", realUgi.getUserName());
        configuration.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
        try {
            setup(configuration);
            Assert.assertTrue("Exception during key creation", createKey(realUgi, KEY1, configuration));
            Assert.assertTrue("Exception during key creation", createKey(realUgi, KEY2, configuration));
            Assert.assertTrue("Exception during key creation", createKey(realUgi, KEY3, configuration));
            teardown();
            Configuration configuration2 = new Configuration();
            configuration2.set("hadoop.kms.acl.DELETE", realUgi.getUserName());
            configuration2.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
            try {
                setup(configuration2, false);
                Assert.assertTrue("Exception during key deletion with correct config using whitelist key ACLs", deleteKey(realUgi, KEY1));
                teardown();
                Configuration configuration3 = new Configuration();
                configuration3.set("hadoop.kms.acl.DELETE", realUgi.getUserName());
                configuration3.set("default.key.acl.MANAGEMENT", realUgi.getUserName());
                try {
                    setup(configuration3, false);
                    Assert.assertTrue("Exception during key deletion with correct config using default key ACLs", deleteKey(realUgi, KEY2));
                    teardown();
                    Configuration configuration4 = new Configuration();
                    configuration4.set("hadoop.kms.acl.DELETE", realUgi.getUserName());
                    configuration4.set("hadoop.kms.blacklist.DELETE", realUgi.getUserName());
                    configuration4.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
                    try {
                        setup(configuration4, false);
                        Assert.assertFalse("Allowed key deletion with blacklist for DELETE", deleteKey(realUgi, KEY3));
                        teardown();
                        Configuration configuration5 = new Configuration();
                        configuration5.set("hadoop.kms.acl.DELETE", " ");
                        configuration5.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
                        try {
                            setup(configuration5, false);
                            Assert.assertFalse("Allowed key deletion without DELETE KMS ACL", deleteKey(realUgi, KEY3));
                            teardown();
                            Configuration configuration6 = new Configuration();
                            configuration6.set("hadoop.kms.acl.DELETE", realUgi.getUserName());
                            try {
                                setup(configuration6, false);
                                Assert.assertFalse("Allowed key deletion without MANAGMENT key ACL", deleteKey(realUgi, KEY3));
                                teardown();
                                Configuration configuration7 = new Configuration();
                                configuration7.set("hadoop.kms.acl.DELETE", realUgi.getUserName());
                                configuration7.set("default.key.acl.MANAGEMENT", realUgi.getUserName());
                                configuration7.set("key.acl.key3.DECRYPT_EEK", realUgi.getUserName());
                                try {
                                    setup(configuration7, false);
                                    Assert.assertFalse("Allowed key deletion when default key ACL should have been overridden by key ACL", deleteKey(realUgi, KEY3));
                                    teardown();
                                    Configuration configuration8 = new Configuration();
                                    configuration8.set("whitelist.key.acl.MANAGEMENT", realUgi.getUserName());
                                    try {
                                        setup(configuration8, false);
                                        Assert.assertTrue("Exception during key deletion with default KMS ACLs", deleteKey(realUgi, KEY3));
                                        teardown();
                                    } finally {
                                        teardown();
                                    }
                                } finally {
                                    teardown();
                                }
                            } finally {
                                teardown();
                            }
                        } finally {
                            teardown();
                        }
                    } finally {
                        teardown();
                    }
                } finally {
                    teardown();
                }
            } finally {
            }
        } finally {
        }
    }

    private boolean createKey(UserGroupInformation userGroupInformation, final String str, final Configuration configuration) {
        return doUserOp(userGroupInformation, new UserOp() { // from class: org.apache.hadoop.hdfs.TestAclsEndToEnd.1
            @Override // org.apache.hadoop.hdfs.TestAclsEndToEnd.UserOp
            public void execute() throws IOException {
                try {
                    DFSTestUtil.createKey(str, TestAclsEndToEnd.this.cluster, configuration);
                } catch (NoSuchAlgorithmException e) {
                    throw new IOException(e);
                }
            }
        });
    }

    private boolean createEncryptionZone(UserGroupInformation userGroupInformation, final String str, final Path path) {
        return doUserOp(userGroupInformation, new UserOp() { // from class: org.apache.hadoop.hdfs.TestAclsEndToEnd.2
            @Override // org.apache.hadoop.hdfs.TestAclsEndToEnd.UserOp
            public void execute() throws IOException {
                TestAclsEndToEnd.this.cluster.getFileSystem().createEncryptionZone(path, str);
            }
        });
    }

    private boolean createFile(UserGroupInformation userGroupInformation, final Path path, final String str) {
        return doUserOp(userGroupInformation, new UserOp() { // from class: org.apache.hadoop.hdfs.TestAclsEndToEnd.3
            @Override // org.apache.hadoop.hdfs.TestAclsEndToEnd.UserOp
            public void execute() throws IOException {
                PrintWriter printWriter = new PrintWriter(new OutputStreamWriter(TestAclsEndToEnd.this.cluster.getFileSystem().create(path)));
                printWriter.println(str);
                printWriter.close();
            }
        });
    }

    private boolean compareFile(UserGroupInformation userGroupInformation, final Path path, final String str) {
        return doUserOp(userGroupInformation, new UserOp() { // from class: org.apache.hadoop.hdfs.TestAclsEndToEnd.4
            @Override // org.apache.hadoop.hdfs.TestAclsEndToEnd.UserOp
            public void execute() throws IOException {
                Assert.assertEquals("The text read does not match the text written", str, new BufferedReader(new InputStreamReader(TestAclsEndToEnd.this.cluster.getFileSystem().open(path))).readLine());
            }
        });
    }

    private boolean deleteKey(UserGroupInformation userGroupInformation, final String str) throws IOException, InterruptedException {
        return doUserOp(userGroupInformation, new UserOp() { // from class: org.apache.hadoop.hdfs.TestAclsEndToEnd.5
            @Override // org.apache.hadoop.hdfs.TestAclsEndToEnd.UserOp
            public void execute() throws IOException {
                TestAclsEndToEnd.this.cluster.getNameNode().getNamesystem().getProvider().deleteKey(str);
            }
        });
    }

    private boolean doUserOp(UserGroupInformation userGroupInformation, final UserOp userOp) {
        UserGroupInformation.setLoginUser(userGroupInformation);
        return ((Boolean) userGroupInformation.doAs(new PrivilegedAction<Boolean>() { // from class: org.apache.hadoop.hdfs.TestAclsEndToEnd.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Boolean run() {
                try {
                    userOp.execute();
                    return true;
                } catch (IOException e) {
                    TestAclsEndToEnd.LOG.error("IOException thrown during doAs() operation", e);
                    return false;
                }
            }
        })).booleanValue();
    }
}
