package org.apache.hadoop.yarn.server.resourcemanager;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.DataInputBuffer;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.CancelDelegationTokenRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetNewApplicationRequest;
import org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenRequest;
import org.apache.hadoop.yarn.api.records.Token;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.ipc.YarnRPC;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.NullRMStateStore;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.AllocationFileLoaderService;
import org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager;
import org.apache.hadoop.yarn.server.resourcemanager.security.RMDelegationTokenSecretManager;
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
import org.apache.hadoop.yarn.server.utils.BuilderUtils;
import org.apache.hadoop.yarn.util.ConverterUtils;
import org.apache.hadoop.yarn.util.Records;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Matchers;
import org.mockito.Mockito;

/* JADX WARN: Classes with same name are omitted:
  input_file:hadoop-yarn-server-resourcemanager-2.6.1-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/TestClientRMTokens.class
 */
/* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMTokens.class */
public class TestClientRMTokens {
    private static final Log LOG = LogFactory.getLog(TestClientRMTokens.class);

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-yarn-server-resourcemanager-2.6.1-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/TestClientRMTokens$ClientRMServiceForTest.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMTokens$ClientRMServiceForTest.class */
    class ClientRMServiceForTest extends ClientRMService {
        public ClientRMServiceForTest(Configuration configuration, ResourceScheduler resourceScheduler, RMDelegationTokenSecretManager rMDelegationTokenSecretManager) {
            super((RMContext) Mockito.mock(RMContext.class), resourceScheduler, (RMAppManager) Mockito.mock(RMAppManager.class), new ApplicationACLsManager(configuration), new QueueACLsManager(resourceScheduler, configuration), rMDelegationTokenSecretManager);
        }

        @Override // org.apache.hadoop.yarn.server.resourcemanager.ClientRMService
        InetSocketAddress getBindAddress(Configuration configuration) {
            return configuration.getSocketAddr("yarn.resourcemanager.address", "0.0.0.0:8032", 0);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.yarn.server.resourcemanager.ClientRMService
        public void serviceStop() throws Exception {
            if (this.rmDTSecretManager != null) {
                this.rmDTSecretManager.stopThreads();
            }
            super.serviceStop();
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-yarn-server-resourcemanager-2.6.1-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/TestClientRMTokens$YarnBadRPC.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMTokens$YarnBadRPC.class */
    public static class YarnBadRPC extends YarnRPC {
        public Object getProxy(Class cls, InetSocketAddress inetSocketAddress, Configuration configuration) {
            throw new RuntimeException("getProxy");
        }

        public void stopProxy(Object obj, Configuration configuration) {
            throw new RuntimeException("stopProxy");
        }

        public Server getServer(Class cls, Object obj, InetSocketAddress inetSocketAddress, Configuration configuration, SecretManager<? extends TokenIdentifier> secretManager, int i, String str) {
            throw new RuntimeException("getServer");
        }
    }

    @Before
    public void resetSecretManager() {
        RMDelegationTokenIdentifier.Renewer.setSecretManager((AbstractDelegationTokenSecretManager) null, (InetSocketAddress) null);
    }

    @Test
    public void testDelegationToken() throws IOException, InterruptedException {
        Configuration yarnConfiguration = new YarnConfiguration();
        yarnConfiguration.set("yarn.resourcemanager.principal", "testuser/localhost@apache.org");
        yarnConfiguration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(yarnConfiguration);
        ResourceScheduler createMockScheduler = createMockScheduler(yarnConfiguration);
        RMDelegationTokenSecretManager createRMDelegationTokenSecretManager = createRMDelegationTokenSecretManager(AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS, 20000L, AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS);
        createRMDelegationTokenSecretManager.startThreads();
        LOG.info("Creating DelegationTokenSecretManager with initialInterval: " + AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS + ", maxLifetime: 20000, renewInterval: " + AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS);
        ClientRMServiceForTest clientRMServiceForTest = new ClientRMServiceForTest(yarnConfiguration, createMockScheduler, createRMDelegationTokenSecretManager);
        clientRMServiceForTest.init(yarnConfiguration);
        clientRMServiceForTest.start();
        ApplicationClientProtocol applicationClientProtocol = null;
        try {
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("testrenewer@APACHE.ORG");
            Assert.assertEquals("testrenewer", createRemoteUser.getShortUserName());
            createRemoteUser.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
            Token delegationToken = getDelegationToken(createRemoteUser, clientRMServiceForTest, createRemoteUser.getShortUserName());
            long currentTimeMillis = System.currentTimeMillis();
            LOG.info("Got delegation token at: " + currentTimeMillis);
            applicationClientProtocol = getClientRMProtocolWithDT(delegationToken, clientRMServiceForTest.getBindAddress(), "loginuser1", yarnConfiguration);
            GetNewApplicationRequest getNewApplicationRequest = (GetNewApplicationRequest) Records.newRecord(GetNewApplicationRequest.class);
            try {
                applicationClientProtocol.getNewApplication(getNewApplicationRequest);
            } catch (IOException e) {
                Assert.fail("Unexpected exception" + e);
            } catch (YarnException e2) {
                Assert.fail("Unexpected exception" + e2);
            }
            while (System.currentTimeMillis() < currentTimeMillis + (AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS / 2)) {
                Thread.sleep(500L);
            }
            long renewDelegationToken = renewDelegationToken(createRemoteUser, clientRMServiceForTest, delegationToken);
            long currentTimeMillis2 = System.currentTimeMillis();
            LOG.info("Renewed token at: " + currentTimeMillis2 + ", NextExpiryTime: " + renewDelegationToken);
            while (System.currentTimeMillis() > currentTimeMillis + AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS && System.currentTimeMillis() < renewDelegationToken) {
                Thread.sleep(500L);
            }
            Thread.sleep(50L);
            try {
                applicationClientProtocol.getNewApplication(getNewApplicationRequest);
            } catch (YarnException e3) {
                Assert.fail("Unexpected exception" + e3);
            } catch (IOException e4) {
                Assert.fail("Unexpected exception" + e4);
            }
            while (System.currentTimeMillis() < currentTimeMillis2 + AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS) {
                Thread.sleep(500L);
            }
            Thread.sleep(50L);
            LOG.info("At time: " + System.currentTimeMillis() + ", token should be invalid");
            try {
                applicationClientProtocol.getNewApplication(getNewApplicationRequest);
                Assert.fail("Should not have succeeded with an expired token");
            } catch (Exception e5) {
                Assert.assertEquals(SecretManager.InvalidToken.class.getName(), e5.getClass().getName());
                Assert.assertTrue(e5.getMessage().contains("is expired"));
            }
            if (applicationClientProtocol != null) {
                RPC.stopProxy(applicationClientProtocol);
            }
            Token delegationToken2 = getDelegationToken(createRemoteUser, clientRMServiceForTest, createRemoteUser.getShortUserName());
            LOG.info("Got delegation token at: " + System.currentTimeMillis());
            applicationClientProtocol = getClientRMProtocolWithDT(delegationToken2, clientRMServiceForTest.getBindAddress(), "loginuser2", yarnConfiguration);
            GetNewApplicationRequest getNewApplicationRequest2 = (GetNewApplicationRequest) Records.newRecord(GetNewApplicationRequest.class);
            try {
                applicationClientProtocol.getNewApplication(getNewApplicationRequest2);
            } catch (IOException e6) {
                Assert.fail("Unexpected exception" + e6);
            } catch (YarnException e7) {
                Assert.fail("Unexpected exception" + e7);
            }
            cancelDelegationToken(createRemoteUser, clientRMServiceForTest, delegationToken2);
            if (applicationClientProtocol != null) {
                RPC.stopProxy(applicationClientProtocol);
            }
            ApplicationClientProtocol clientRMProtocolWithDT = getClientRMProtocolWithDT(delegationToken2, clientRMServiceForTest.getBindAddress(), "loginuser2", yarnConfiguration);
            LOG.info("Cancelled delegation token at: " + System.currentTimeMillis());
            try {
                clientRMProtocolWithDT.getNewApplication(getNewApplicationRequest2);
                Assert.fail("Should not have succeeded with a cancelled delegation token");
            } catch (YarnException e8) {
            } catch (IOException e9) {
            }
            if (clientRMProtocolWithDT != null) {
                RPC.stopProxy(clientRMProtocolWithDT);
            }
            byte[] array = getDelegationToken(createRemoteUser, clientRMServiceForTest, createRemoteUser.getShortUserName()).getIdentifier().array();
            RMDelegationTokenIdentifier rMDelegationTokenIdentifier = new RMDelegationTokenIdentifier();
            DataInputBuffer dataInputBuffer = new DataInputBuffer();
            dataInputBuffer.reset(array, array.length);
            rMDelegationTokenIdentifier.readFields(dataInputBuffer);
            org.apache.hadoop.security.token.Token token = new org.apache.hadoop.security.token.Token(new RMDelegationTokenIdentifierForTest(rMDelegationTokenIdentifier, "message"), createRMDelegationTokenSecretManager);
            applicationClientProtocol = getClientRMProtocolWithDT(BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString()), clientRMServiceForTest.getBindAddress(), "loginuser3", yarnConfiguration);
            try {
                applicationClientProtocol.getNewApplication((GetNewApplicationRequest) Records.newRecord(GetNewApplicationRequest.class));
            } catch (IOException e10) {
                Assert.fail("Unexpected exception" + e10);
            } catch (YarnException e11) {
                Assert.fail("Unexpected exception" + e11);
            }
            createRMDelegationTokenSecretManager.stopThreads();
            if (applicationClientProtocol != null) {
                RPC.stopProxy(applicationClientProtocol);
            }
        } catch (Throwable th) {
            createRMDelegationTokenSecretManager.stopThreads();
            if (applicationClientProtocol != null) {
                RPC.stopProxy(applicationClientProtocol);
            }
            throw th;
        }
    }

    @Test
    public void testShortCircuitRenewCancel() throws IOException, InterruptedException {
        InetSocketAddress createSocketAddr = NetUtils.createSocketAddr(InetAddress.getLocalHost().getHostName(), 123, (String) null);
        checkShortCircuitRenewCancel(createSocketAddr, createSocketAddr, true);
    }

    @Test
    public void testShortCircuitRenewCancelWildcardAddress() throws IOException, InterruptedException {
        InetSocketAddress inetSocketAddress = new InetSocketAddress(123);
        checkShortCircuitRenewCancel(inetSocketAddress, NetUtils.createSocketAddr(InetAddress.getLocalHost().getHostName(), inetSocketAddress.getPort(), (String) null), true);
    }

    @Test
    public void testShortCircuitRenewCancelSameHostDifferentPort() throws IOException, InterruptedException {
        InetSocketAddress createSocketAddr = NetUtils.createSocketAddr(InetAddress.getLocalHost().getHostName(), 123, (String) null);
        checkShortCircuitRenewCancel(createSocketAddr, new InetSocketAddress(createSocketAddr.getAddress(), createSocketAddr.getPort() + 1), false);
    }

    @Test
    public void testShortCircuitRenewCancelDifferentHostSamePort() throws IOException, InterruptedException {
        InetSocketAddress createSocketAddr = NetUtils.createSocketAddr(InetAddress.getLocalHost().getHostName(), 123, (String) null);
        checkShortCircuitRenewCancel(createSocketAddr, new InetSocketAddress("1.1.1.1", createSocketAddr.getPort()), false);
    }

    @Test
    public void testShortCircuitRenewCancelDifferentHostDifferentPort() throws IOException, InterruptedException {
        InetSocketAddress createSocketAddr = NetUtils.createSocketAddr(InetAddress.getLocalHost().getHostName(), 123, (String) null);
        checkShortCircuitRenewCancel(createSocketAddr, new InetSocketAddress("1.1.1.1", createSocketAddr.getPort() + 1), false);
    }

    private void checkShortCircuitRenewCancel(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, boolean z) throws IOException, InterruptedException {
        Configuration configuration = new Configuration();
        configuration.setClass("yarn.ipc.rpc.class", YarnBadRPC.class, YarnRPC.class);
        RMDelegationTokenSecretManager rMDelegationTokenSecretManager = (RMDelegationTokenSecretManager) Mockito.mock(RMDelegationTokenSecretManager.class);
        RMDelegationTokenIdentifier.Renewer.setSecretManager(rMDelegationTokenSecretManager, inetSocketAddress);
        org.apache.hadoop.security.token.Token token = new org.apache.hadoop.security.token.Token(new RMDelegationTokenIdentifier(new Text("owner"), new Text("renewer"), (Text) null), rMDelegationTokenSecretManager);
        SecurityUtil.setTokenService(token, inetSocketAddress2);
        if (z) {
            token.renew(configuration);
            ((RMDelegationTokenSecretManager) Mockito.verify(rMDelegationTokenSecretManager)).renewToken((org.apache.hadoop.security.token.Token) Matchers.eq(token), (String) Matchers.eq("renewer"));
            Mockito.reset(new RMDelegationTokenSecretManager[]{rMDelegationTokenSecretManager});
            token.cancel(configuration);
            ((RMDelegationTokenSecretManager) Mockito.verify(rMDelegationTokenSecretManager)).cancelToken((org.apache.hadoop.security.token.Token) Matchers.eq(token), (String) Matchers.eq("renewer"));
            return;
        }
        try {
            token.renew(configuration);
            Assert.fail();
        } catch (RuntimeException e) {
            Assert.assertEquals("getProxy", e.getMessage());
        }
        ((RMDelegationTokenSecretManager) Mockito.verify(rMDelegationTokenSecretManager, Mockito.never())).renewToken((org.apache.hadoop.security.token.Token) Matchers.any(org.apache.hadoop.security.token.Token.class), Matchers.anyString());
        try {
            token.cancel(configuration);
            Assert.fail();
        } catch (RuntimeException e2) {
            Assert.assertEquals("getProxy", e2.getMessage());
        }
        ((RMDelegationTokenSecretManager) Mockito.verify(rMDelegationTokenSecretManager, Mockito.never())).cancelToken((org.apache.hadoop.security.token.Token) Matchers.any(org.apache.hadoop.security.token.Token.class), Matchers.anyString());
    }

    private Token getDelegationToken(UserGroupInformation userGroupInformation, final ApplicationClientProtocol applicationClientProtocol, final String str) throws IOException, InterruptedException {
        return (Token) userGroupInformation.doAs(new PrivilegedExceptionAction<Token>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestClientRMTokens.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Token run() throws YarnException, IOException {
                GetDelegationTokenRequest getDelegationTokenRequest = (GetDelegationTokenRequest) Records.newRecord(GetDelegationTokenRequest.class);
                getDelegationTokenRequest.setRenewer(str);
                return applicationClientProtocol.getDelegationToken(getDelegationTokenRequest).getRMDelegationToken();
            }
        });
    }

    private long renewDelegationToken(UserGroupInformation userGroupInformation, final ApplicationClientProtocol applicationClientProtocol, final Token token) throws IOException, InterruptedException {
        return ((Long) userGroupInformation.doAs(new PrivilegedExceptionAction<Long>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestClientRMTokens.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Long run() throws YarnException, IOException {
                RenewDelegationTokenRequest renewDelegationTokenRequest = (RenewDelegationTokenRequest) Records.newRecord(RenewDelegationTokenRequest.class);
                renewDelegationTokenRequest.setDelegationToken(token);
                return Long.valueOf(applicationClientProtocol.renewDelegationToken(renewDelegationTokenRequest).getNextExpirationTime());
            }
        })).longValue();
    }

    private void cancelDelegationToken(UserGroupInformation userGroupInformation, final ApplicationClientProtocol applicationClientProtocol, final Token token) throws IOException, InterruptedException {
        userGroupInformation.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestClientRMTokens.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws YarnException, IOException {
                CancelDelegationTokenRequest cancelDelegationTokenRequest = (CancelDelegationTokenRequest) Records.newRecord(CancelDelegationTokenRequest.class);
                cancelDelegationTokenRequest.setDelegationToken(token);
                applicationClientProtocol.cancelDelegationToken(cancelDelegationTokenRequest);
                return null;
            }
        });
    }

    private ApplicationClientProtocol getClientRMProtocolWithDT(Token token, final InetSocketAddress inetSocketAddress, String str, final Configuration configuration) {
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(str);
        createRemoteUser.addToken(ConverterUtils.convertFromYarn(token, inetSocketAddress));
        final YarnRPC create = YarnRPC.create(configuration);
        return (ApplicationClientProtocol) createRemoteUser.doAs(new PrivilegedAction<ApplicationClientProtocol>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestClientRMTokens.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ApplicationClientProtocol run() {
                return (ApplicationClientProtocol) create.getProxy(ApplicationClientProtocol.class, inetSocketAddress, configuration);
            }
        });
    }

    private static ResourceScheduler createMockScheduler(Configuration configuration) {
        ResourceScheduler resourceScheduler = (ResourceScheduler) Mockito.mock(ResourceScheduler.class);
        ((ResourceScheduler) Mockito.doReturn(BuilderUtils.newResource(512, 0)).when(resourceScheduler)).getMinimumResourceCapability();
        ((ResourceScheduler) Mockito.doReturn(BuilderUtils.newResource(5120, 0)).when(resourceScheduler)).getMaximumResourceCapability();
        return resourceScheduler;
    }

    private static RMDelegationTokenSecretManager createRMDelegationTokenSecretManager(long j, long j2, long j3) {
        RMContext rMContext = (RMContext) Mockito.mock(RMContext.class);
        Mockito.when(rMContext.getStateStore()).thenReturn(new NullRMStateStore());
        return new RMDelegationTokenSecretManager(j, j2, j3, CapacitySchedulerConfiguration.DEFAULT_RESERVATION_ENFORCEMENT_WINDOW, rMContext);
    }
}
