package com.cloudera.cmf.service.objectstore.s3;

import com.cloudera.cmf.model.DbExternalAccount;
import com.cloudera.cmf.model.DbExternalAccountType;
import com.cloudera.cmf.model.DbService;
import com.cloudera.cmf.service.TestUtils;
import com.cloudera.cmf.service.ValidationContext;
import com.cloudera.cmf.service.config.EnumParamSpec;
import com.cloudera.cmf.service.config.ExternalAccountParamSpec;
import com.cloudera.cmf.service.config.ParamSpec;
import com.cloudera.cmf.service.objectstore.KeyDistributionPolicy;
import com.cloudera.cmf.version.CdhReleases;
import com.cloudera.cmf.version.Release;
import com.cloudera.enterprise.MessageWithArgs;
import com.cloudera.server.cmf.MockBaseTest;
import com.cloudera.server.cmf.MockTestCluster;
import com.cloudera.server.web.common.Humanize;
import com.google.common.collect.ImmutableSet;
import java.util.Collections;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:com/cloudera/cmf/service/objectstore/s3/S3SecurityValidatorTest.class */
public class S3SecurityValidatorTest extends MockBaseTest {
    private static final String HUMANIZED_SERVICE_TYPE = Humanize.humanizeServiceType(MockTestCluster.S3_ST);
    private ValidationContext context;
    private DbService s3service;

    private void setupClusterAndConnector(Release release, DbExternalAccount dbExternalAccount, boolean z) {
        this.context = (ValidationContext) Mockito.mock(ValidationContext.class);
        MockTestCluster build = MockTestCluster.builder(this).cdhVersion(release).services("HDFS", MockTestCluster.S3_ST).autoSatisfyDependencies(MockTestCluster.AutoDependencyLevel.ALL).enableKerberos(z).build();
        this.s3service = build.getService("aws_s31");
        Mockito.when(this.context.getCluster()).thenReturn(build.getCluster());
        Mockito.when(this.context.getService()).thenReturn(this.s3service);
        if (dbExternalAccount != null) {
            createConfig(this.s3service, (ParamSpec<ExternalAccountParamSpec>) S3Params.ACCOUNT, (ExternalAccountParamSpec) dbExternalAccount.getName());
        } else {
            createConfig(this.s3service, (ParamSpec<ExternalAccountParamSpec>) S3Params.ACCOUNT, (ExternalAccountParamSpec) null);
        }
    }

    private DbExternalAccount awsKeyAccount() {
        return createExternalAccount(2L, "s3_account", DbExternalAccountType.AWS_ACCESS_KEY_AUTH);
    }

    private void assertValidationOk() {
        TestUtils.verifyValidations(this.context, new S3SecurityValidator(), shr, Collections.emptySet(), Collections.emptySet(), Collections.emptySet());
    }

    private void assertValidationFails(MessageWithArgs messageWithArgs) {
        TestUtils.verifyValidations(this.context, new S3SecurityValidator(), shr, Collections.emptySet(), Collections.emptySet(), ImmutableSet.of(messageWithArgs));
    }

    @Test
    public void testNoAccountOk() {
        setupClusterAndConnector(CdhReleases.CDH5_11_0, null, false);
        assertValidationOk();
    }

    @Test
    public void testIAMAccountOk() {
        setupClusterAndConnector(CdhReleases.CDH5_11_0, createExternalAccount(3L, "iam_account", DbExternalAccountType.AWS_IAM_ROLES_AUTH), false);
        assertValidationOk();
    }

    @Test
    public void test510WithKerberosOk() {
        setupClusterAndConnector(CdhReleases.CDH5_10_0, awsKeyAccount(), true);
        createConfig(this.s3service, (ParamSpec<EnumParamSpec>) S3Params.KEY_DISTRIBUTION, (EnumParamSpec) null);
        assertValidationOk();
    }

    @Test
    public void test510WithoutKerberosFails() {
        setupClusterAndConnector(CdhReleases.CDH5_10_0, awsKeyAccount(), false);
        createConfig(this.s3service, (ParamSpec<EnumParamSpec>) S3Params.KEY_DISTRIBUTION, (EnumParamSpec) null);
        assertValidationFails(MessageWithArgs.of("message.objectstore.validator.kerberos.error", new String[]{HUMANIZED_SERVICE_TYPE}));
    }

    @Test
    public void test511SecureModeOk() {
        setupClusterAndConnector(CdhReleases.CDH5_11_0, awsKeyAccount(), true);
        createConfig(this.s3service, (ParamSpec<EnumParamSpec>) S3Params.KEY_DISTRIBUTION, (EnumParamSpec) KeyDistributionPolicy.SECURE);
        assertValidationOk();
    }

    @Test
    public void test511SecureModeWithoutKerberosFails() {
        setupClusterAndConnector(CdhReleases.CDH5_11_0, awsKeyAccount(), false);
        createConfig(this.s3service, (ParamSpec<EnumParamSpec>) S3Params.KEY_DISTRIBUTION, (EnumParamSpec) KeyDistributionPolicy.SECURE);
        assertValidationFails(MessageWithArgs.of("message.objectstore.validator.kerberos.error", new String[]{HUMANIZED_SERVICE_TYPE}));
    }

    @Test
    public void test511UnsecureModeWithoutKerberosOk() {
        setupClusterAndConnector(CdhReleases.CDH5_11_0, awsKeyAccount(), false);
        createConfig(this.s3service, (ParamSpec<EnumParamSpec>) S3Params.KEY_DISTRIBUTION, (EnumParamSpec) KeyDistributionPolicy.UNSECURE);
        assertValidationOk();
    }

    @Test
    public void test511UnsecureModeWithKerberosOk() {
        setupClusterAndConnector(CdhReleases.CDH5_11_0, awsKeyAccount(), true);
        createConfig(this.s3service, (ParamSpec<EnumParamSpec>) S3Params.KEY_DISTRIBUTION, (EnumParamSpec) KeyDistributionPolicy.UNSECURE);
        assertValidationOk();
    }
}
