package com.cloudera.server.web.cmf.security;

import com.cloudera.server.web.cmf.CMFUserDetailsService;
import com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider;
import com.cloudera.server.web.cmf.CmfPamAuthenticationProvider;
import com.cloudera.server.web.cmf.CmfUserLoader;
import com.cloudera.server.web.cmf.KerberosRequestAuthenticationDetails;
import com.cloudera.server.web.cmf.UserDetailsAndGroups;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.lang.invoke.SerializedLambda;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.ietf.jgss.GSSContext;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.security.kerberos.authentication.KerberosTicketValidation;
import org.springframework.security.kerberos.authentication.KerberosTicketValidator;

/* loaded from: input_file:com/cloudera/server/web/cmf/security/DoAsAuthenticationProviderTest.class */
public class DoAsAuthenticationProviderTest {

    /* loaded from: input_file:com/cloudera/server/web/cmf/security/DoAsAuthenticationProviderTest$TestCase.class */
    private static class TestCase {
        private String queryString;
        private String remoteAddress;
        private String requestUser;
        private String expectedUsername;
        private boolean addLdap = false;
        private boolean addPam = false;
        private boolean skipProxyConfig = false;
        private boolean success = false;

        private TestCase() {
        }

        public static TestCase builder() {
            return new TestCase();
        }

        public TestCase addPam(boolean z) {
            this.addPam = z;
            return this;
        }

        public TestCase addLdap(boolean z) {
            this.addLdap = z;
            return this;
        }

        public TestCase skipProxyConfig(boolean z) {
            this.skipProxyConfig = z;
            return this;
        }

        public TestCase setQueryString(String str) {
            this.queryString = str;
            return this;
        }

        public TestCase setRemoteAddress(String str) {
            this.remoteAddress = str;
            return this;
        }

        public TestCase setRequestUser(String str) {
            this.requestUser = str;
            return this;
        }

        public TestCase setSuccess(boolean z) {
            this.success = z;
            return this;
        }

        public TestCase setExpectedUsername(String str) {
            this.expectedUsername = str;
            return this;
        }

        public void run() {
            Authentication proxyAuthenticate = DoAsAuthenticationProviderTest.createAuthProvider(this.addLdap, this.addPam, this.skipProxyConfig).proxyAuthenticate(DoAsAuthenticationProviderTest.createRequestDetails(this.queryString, this.remoteAddress), DoAsAuthenticationProviderTest.createKrbAuth(this.requestUser));
            Assert.assertEquals(Boolean.valueOf(this.success), Boolean.valueOf(proxyAuthenticate.isAuthenticated()));
            Assert.assertEquals(this.expectedUsername, ((CMFUserDetailsService.CMFUser) proxyAuthenticate.getPrincipal()).getUsername());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static DoAsAuthenticationProvider createAuthProvider(boolean z, boolean z2, boolean z3) {
        if (z && z2) {
            Assert.fail("We can either test ldap or pam.");
        }
        DoAsAuthenticationProvider doAsAuthenticationProvider = new DoAsAuthenticationProvider();
        doAsAuthenticationProvider.setTicketValidator((KerberosTicketValidator) Mockito.mock(KerberosTicketValidator.class));
        CMFUserDetailsService cMFUserDetailsService = (CMFUserDetailsService) Mockito.mock(CMFUserDetailsService.class);
        Mockito.when(cMFUserDetailsService.loadUserByUsername("user1")).thenReturn(createUser("user1"));
        Mockito.when(cMFUserDetailsService.loadUserByUsername("user2")).thenReturn(createUser("user2"));
        Mockito.when(cMFUserDetailsService.loadUserByUsername("user3")).thenReturn(createUser("user3"));
        Mockito.when(cMFUserDetailsService.loadUserByUsername("user4")).thenReturn(createUser("user4"));
        Mockito.when(cMFUserDetailsService.loadUserByUsername("invaliduser")).thenThrow(new Throwable[]{new UsernameNotFoundException("Not found")});
        doAsAuthenticationProvider.setUserDetailsService(cMFUserDetailsService);
        if (z) {
            loadUserMock((CmfLdapAuthenticationProvider) Mockito.mock(CmfLdapAuthenticationProvider.class), doAsAuthenticationProvider);
        }
        if (z2) {
            loadUserMock((CmfPamAuthenticationProvider) Mockito.mock(CmfPamAuthenticationProvider.class), doAsAuthenticationProvider);
        }
        if (!z3) {
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser", Sets.newHashSet(new String[]{"group1", "group2"}), Sets.newHashSet(new String[]{"localhost"}), Sets.newHashSet(new String[]{"user1", "user2", "user3"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_ip", Sets.newHashSet(new String[]{"group1", "group2"}), Sets.newHashSet(new String[]{"localhost"}), Sets.newHashSet(new String[]{"user1", "user2", "user3"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_wild_groups", Sets.newHashSet(new String[]{"*"}), Sets.newHashSet(new String[]{"localhost"}), Sets.newHashSet(new String[]{"user1", "user2", "user3"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_wild_hosts", Sets.newHashSet(new String[]{"group1", "group2"}), Sets.newHashSet(new String[]{"*"}), Sets.newHashSet(new String[]{"user1", "user2"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_wild_users", Sets.newHashSet(new String[]{"group1", "group2"}), Sets.newHashSet(new String[]{"localhost"}), Sets.newHashSet(new String[]{"*"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_no_groups", Sets.newHashSet(), Sets.newHashSet(new String[]{"localhost"}), Sets.newHashSet(new String[]{"user1", "user2"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_no_hosts", Sets.newHashSet(new String[]{"group1", "group2"}), Sets.newHashSet(), Sets.newHashSet(new String[]{"user1", "user2"}));
            doAsAuthenticationProvider.addProxyUserConfig("proxyuser_no_users", Sets.newHashSet(new String[]{"group1", "group2"}), Sets.newHashSet(new String[]{"localhost"}), Sets.newHashSet());
        }
        return doAsAuthenticationProvider;
    }

    private static void loadUserMock(CmfUserLoader cmfUserLoader, DoAsAuthenticationProvider doAsAuthenticationProvider) {
        Mockito.when(cmfUserLoader.loadUserByUsername("user1")).thenReturn(createUserAndGroups("user1", ImmutableList.of("group1")));
        Mockito.when(cmfUserLoader.loadUserByUsername("user2")).thenReturn(createUserAndGroups("user2", ImmutableList.of("group2", "group3")));
        Mockito.when(cmfUserLoader.loadUserByUsername("user3")).thenReturn(createUserAndGroups("user3", ImmutableList.of("group3")));
        Mockito.when(cmfUserLoader.loadUserByUsername("user4")).thenReturn(createUserAndGroups("user4", ImmutableList.of("group1", "group4")));
        Mockito.when(cmfUserLoader.loadUserByUsername("nogroup")).thenReturn(createUserAndGroups("user1", ImmutableList.of()));
        Mockito.when(cmfUserLoader.loadUserByUsername("invaliduser")).thenThrow(new Throwable[]{new UsernameNotFoundException("Not found")});
        doAsAuthenticationProvider.setCmfUserLoader(cmfUserLoader);
    }

    private static UserDetails createUser(String str) {
        return CMFUserDetailsService.CMFUser.newBuilder().setUsername(str).setPasswordHash("password").setAuthorities(Collections.emptyMap()).setSalt(0L).setIsExternal(false).setIsInternal(true).setRoles(Collections.emptyMap()).setLastNLogins(Collections.emptyList()).build();
    }

    private static UserDetailsAndGroups createUserAndGroups(String str, List<String> list) {
        UserDetails createUser = createUser(str);
        ArrayList newArrayList = Lists.newArrayList();
        for (String str2 : list) {
            newArrayList.add(() -> {
                return str2;
            });
        }
        return new UserDetailsAndGroups(createUser, newArrayList);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KerberosServiceRequestToken createKrbAuth(String str) {
        return new KerberosServiceRequestToken(createUser(str), new KerberosTicketValidation(str, String.format("%s@REALM", str), (byte[]) null, (GSSContext) null), Collections.emptyList(), (byte[]) null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KerberosRequestAuthenticationDetails createRequestDetails(String str, String str2) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getQueryString()).thenReturn(str);
        Mockito.when(httpServletRequest.getRemoteAddr()).thenReturn(str2);
        return new KerberosRequestAuthenticationDetails(httpServletRequest);
    }

    @Test
    public void testInitialized() {
        DoAsAuthenticationProvider doAsAuthenticationProvider = new DoAsAuthenticationProvider();
        Assert.assertFalse(doAsAuthenticationProvider.isInitialized());
        doAsAuthenticationProvider.setTicketValidator((KerberosTicketValidator) Mockito.mock(KerberosTicketValidator.class));
        Assert.assertFalse(doAsAuthenticationProvider.isInitialized());
        doAsAuthenticationProvider.setUserDetailsService((UserDetailsService) Mockito.mock(CMFUserDetailsService.class));
        Assert.assertTrue(doAsAuthenticationProvider.isInitialized());
    }

    @Test
    public void testBadAuthPassthrough() {
        DoAsAuthenticationProvider createAuthProvider = createAuthProvider(false, false, false);
        Assert.assertNull(createAuthProvider.proxyAuthenticate((Object) null, (Authentication) null));
        Assert.assertFalse(createAuthProvider.proxyAuthenticate((Object) null, new UsernamePasswordAuthenticationToken("user", "password")).isAuthenticated());
        Assert.assertTrue(createAuthProvider.proxyAuthenticate((Object) null, new UsernamePasswordAuthenticationToken("user", "password", Collections.emptyList())) instanceof UsernamePasswordAuthenticationToken);
    }

    @Test
    public void testNoProxyConfig() {
        TestCase.builder().setQueryString("doAs=user1").setRequestUser("proxyuser").skipProxyConfig(true).setSuccess(true).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testNotProxyUser() {
        TestCase.builder().setQueryString("doAs=user1").setRequestUser("notproxyuser").setSuccess(true).setExpectedUsername("notproxyuser").run();
    }

    @Test
    public void testNullProxyRequest() {
        TestCase.builder().setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testDifferentQueryString() {
        TestCase.builder().setQueryString("notDoAs=user1").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testFailMultipleDoAs() {
        TestCase.builder().setQueryString("doAs=user1&doAs=user2").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testProxyLocalUser() {
        TestCase.builder().setQueryString("doAs=user1").setRequestUser("proxyuser").setSuccess(true).setExpectedUsername("user1").run();
    }

    @Test
    public void testMixedQueryString() {
        TestCase.builder().setQueryString("foo=foo1&doAs=user1&bar=bar1").setRequestUser("proxyuser").setSuccess(true).setExpectedUsername("user1").run();
    }

    @Test
    public void testFailUserNotFound() {
        TestCase.builder().setQueryString("doAs=invaliduser").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testFailProxyUsersCheck() {
        TestCase.builder().setQueryString("doAs=user4").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testFailProxyHostsCheck() {
        TestCase.builder().setQueryString("doAs=user1").setRemoteAddress("0.0.0.0").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testProxyLdapUser() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user1").setRequestUser("proxyuser").setSuccess(true).setExpectedUsername("user1").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user1").setRequestUser("proxyuser").setSuccess(true).setExpectedUsername("user1").run();
    }

    @Test
    public void testProxyLdapUserMultipleGroups() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user1").setRequestUser("proxyuser").setSuccess(true).setExpectedUsername("user1").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user1").setRequestUser("proxyuser").setSuccess(true).setExpectedUsername("user1").run();
    }

    @Test
    public void testFailProxyGroupsCheck() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user3").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user3").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testFailProxyUsersCheckLdap() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user4").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user4").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testFailNoGroups() {
        TestCase.builder().addLdap(true).setQueryString("doAs=nogroup").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
        TestCase.builder().addPam(true).setQueryString("doAs=nogroup").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testFailUserNotFoundLdap() {
        TestCase.builder().addLdap(true).setQueryString("doAs=invaliduser").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
        TestCase.builder().addPam(true).setQueryString("doAs=invaliduser").setRequestUser("proxyuser").setSuccess(false).setExpectedUsername("proxyuser").run();
    }

    @Test
    public void testWildcardGroups() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user3").setRequestUser("proxyuser_wild_groups").setSuccess(true).setExpectedUsername("user3").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user3").setRequestUser("proxyuser_wild_groups").setSuccess(true).setExpectedUsername("user3").run();
    }

    @Test
    public void testWildcardHosts() {
        TestCase.builder().setQueryString("doAs=user1").setRemoteAddress("0.0.0.0").setRequestUser("proxyuser_wild_hosts").setSuccess(true).setExpectedUsername("user1").run();
    }

    @Test
    public void testWildcardUsers() {
        TestCase.builder().setQueryString("doAs=user3").setRequestUser("proxyuser_wild_users").setSuccess(true).setExpectedUsername("user3").run();
    }

    @Test
    public void testFailEmptyProxyGroups() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user1").setRequestUser("proxyuser_no_groups").setSuccess(false).setExpectedUsername("proxyuser_no_groups").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user1").setRequestUser("proxyuser_no_groups").setSuccess(false).setExpectedUsername("proxyuser_no_groups").run();
    }

    @Test
    public void testFailEmptyProxyHosts() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user1").setRequestUser("proxyuser_no_hosts").setSuccess(false).setExpectedUsername("proxyuser_no_hosts").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user1").setRequestUser("proxyuser_no_hosts").setSuccess(false).setExpectedUsername("proxyuser_no_hosts").run();
    }

    @Test
    public void testFailEmptyProxyUsers() {
        TestCase.builder().addLdap(true).setQueryString("doAs=user1").setRequestUser("proxyuser_no_users").setSuccess(false).setExpectedUsername("proxyuser_no_users").run();
        TestCase.builder().addPam(true).setQueryString("doAs=user1").setRequestUser("proxyuser_no_users").setSuccess(false).setExpectedUsername("proxyuser_no_users").run();
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -344665299:
                if (implMethodName.equals("lambda$createUserAndGroups$4031b80c$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/springframework/security/core/GrantedAuthority") && serializedLambda.getFunctionalInterfaceMethodName().equals("getAuthority") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/String;") && serializedLambda.getImplClass().equals("com/cloudera/server/web/cmf/security/DoAsAuthenticationProviderTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;)Ljava/lang/String;")) {
                    String str = (String) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return str;
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
