package co.cask.cdap.security;

import co.cask.cdap.AllProgramsApp;
import co.cask.cdap.ConfigTestApp;
import co.cask.cdap.api.common.Bytes;
import co.cask.cdap.api.dataset.lib.CloseableIterator;
import co.cask.cdap.api.dataset.lib.KeyValueTable;
import co.cask.cdap.common.BadRequestException;
import co.cask.cdap.common.namespace.NamespaceAdmin;
import co.cask.cdap.common.utils.Tasks;
import co.cask.cdap.internal.test.AppJarHelper;
import co.cask.cdap.proto.Id;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.ProgramRunStatus;
import co.cask.cdap.proto.RunRecord;
import co.cask.cdap.proto.artifact.AppRequest;
import co.cask.cdap.proto.artifact.ArtifactSummary;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.Ids;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.id.StreamId;
import co.cask.cdap.proto.id.WorkflowId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.cdap.spark.stream.TestSparkCrossNSDatasetApp;
import co.cask.cdap.test.ApplicationManager;
import co.cask.cdap.test.ArtifactManager;
import co.cask.cdap.test.DataSetManager;
import co.cask.cdap.test.FlowManager;
import co.cask.cdap.test.MapReduceManager;
import co.cask.cdap.test.ProgramManager;
import co.cask.cdap.test.ServiceManager;
import co.cask.cdap.test.SlowTests;
import co.cask.cdap.test.SparkManager;
import co.cask.cdap.test.StreamManager;
import co.cask.cdap.test.TestBase;
import co.cask.cdap.test.TestConfiguration;
import co.cask.cdap.test.WorkerManager;
import co.cask.cdap.test.app.AppWithServices;
import co.cask.cdap.test.app.CrossNsDatasetAccessApp;
import co.cask.cdap.test.app.DatasetCrossNSAccessWithMAPApp;
import co.cask.cdap.test.app.DatasetWithMRApp;
import co.cask.cdap.test.app.DummyApp;
import co.cask.cdap.test.app.StreamAuthApp;
import co.cask.cdap.test.artifacts.plugins.ToStringPlugin;
import co.cask.common.http.HttpRequest;
import co.cask.common.http.HttpRequests;
import co.cask.common.http.HttpResponse;
import com.google.common.base.Charsets;
import com.google.common.base.Predicate;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.ExternalResource;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.Description;
import org.junit.runners.model.Statement;

/* loaded from: input_file:co/cask/cdap/security/AuthorizationTest.class */
public class AuthorizationTest extends TestBase {
    private static InstanceId instance;
    private static String oldUser;

    @ClassRule
    public static final TestConfiguration CONFIG = new TestConfiguration(new Object[]{"explore.enabled", false, "security.authorization.cache.enabled", false});
    private static final EnumSet<Action> ALL_ACTIONS = EnumSet.allOf(Action.class);
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);
    private static final NamespaceId AUTH_NAMESPACE = new NamespaceId("authorization");
    private static final NamespaceMeta AUTH_NAMESPACE_META = new NamespaceMeta.Builder().setName(AUTH_NAMESPACE.getNamespace()).build();

    @ClassRule
    public static final AuthTestConf AUTH_TEST_CONF = new AuthTestConf();

    /* loaded from: input_file:co/cask/cdap/security/AuthorizationTest$AuthTestConf.class */
    private static final class AuthTestConf extends ExternalResource {
        private final TemporaryFolder tmpFolder;
        private TestConfiguration testConf;

        private AuthTestConf() {
            this.tmpFolder = new TemporaryFolder();
        }

        public Statement apply(final Statement statement, final Description description) {
            return this.tmpFolder.apply(new Statement() { // from class: co.cask.cdap.security.AuthorizationTest.AuthTestConf.1
                public void evaluate() throws Throwable {
                    AuthTestConf.this.testConf = new TestConfiguration(AuthTestConf.getAuthConfigs(AuthTestConf.this.tmpFolder.newFolder()));
                    AuthTestConf.this.testConf.apply(statement, description).evaluate();
                }
            }, description);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static String[] getAuthConfigs(File file) throws IOException {
            return new String[]{"security.enabled", AppWithServices.VALUE, "security.authorization.enabled", AppWithServices.VALUE, "security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(file), InMemoryAuthorizer.class, new File[0]).toURI().getPath(), "kerberos.auth.enabled", "false"};
        }
    }

    @BeforeClass
    public static void setup() {
        instance = new InstanceId(getConfiguration().get("instance.name"));
        oldUser = SecurityRequestContext.getUserId();
        SecurityRequestContext.setUserId(ALICE.getName());
    }

    @Before
    public void setupTest() throws Exception {
        Assert.assertEquals(ImmutableSet.of(), getAuthorizer().listPrivileges(ALICE));
    }

    @Test
    public void testNamespaces() throws Exception {
        NamespaceAdmin namespaceAdmin = getNamespaceAdmin();
        Authorizer authorizer = getAuthorizer();
        try {
            namespaceAdmin.create(AUTH_NAMESPACE_META);
            Assert.fail("Namespace create should have failed because alice is not authorized on " + instance);
        } catch (UnauthorizedException e) {
        }
        createAuthNamespace();
        namespaceAdmin.list();
        namespaceAdmin.get(AUTH_NAMESPACE.toId());
        revokeAndAssertSuccess(AUTH_NAMESPACE);
        try {
            namespaceAdmin.deleteDatasets(AUTH_NAMESPACE.toId());
            Assert.fail("Namespace delete datasets should have failed because alice's privileges on the namespace have been revoked");
        } catch (UnauthorizedException e2) {
        }
        grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN));
        namespaceAdmin.deleteDatasets(AUTH_NAMESPACE.toId());
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        namespaceAdmin.updateProperties(AUTH_NAMESPACE.toId(), new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build());
    }

    @Test
    @Category({SlowTests.class})
    public void testFlowStreamAuth() throws Exception {
        createAuthNamespace();
        Authorizer authorizer = getAuthorizer();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), StreamAuthApp.class, new File[0]);
        authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
        authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
        FlowManager flowManager = deployApplication.getFlowManager(StreamAuthApp.FLOW);
        StreamId stream = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
        StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.toId(), StreamAuthApp.STREAM);
        StreamManager streamManager2 = getStreamManager(AUTH_NAMESPACE.toId(), StreamAuthApp.STREAM2);
        streamManager.send("Auth");
        flowManager.start();
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(((KeyValueTable) AuthorizationTest.this.getDataset(AuthorizationTest.AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get()).read("Auth") != null);
            }
        }, 5L, TimeUnit.SECONDS);
        flowManager.stop();
        flowManager.waitForFinish(5L, TimeUnit.SECONDS);
        authorizer.revoke(stream, ALICE, EnumSet.allOf(Action.class));
        authorizer.grant(stream, ALICE, EnumSet.of(Action.WRITE, Action.ADMIN, Action.EXECUTE));
        streamManager.send("Security");
        streamManager2.send("Safety");
        try {
            flowManager.start();
        } catch (RuntimeException e) {
            Assert.assertTrue(e.getCause() instanceof UnauthorizedException);
        }
        authorizer.grant(stream, ALICE, ImmutableSet.of(Action.READ));
        flowManager.start();
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(((KeyValueTable) AuthorizationTest.this.getDataset(AuthorizationTest.AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get()).read("Security") != null);
            }
        }, 5L, TimeUnit.SECONDS);
        authorizer.revoke(stream, ALICE, ImmutableSet.of(Action.READ));
        TimeUnit.MILLISECONDS.sleep(10L);
        flowManager.stop();
        flowManager.waitForFinish(5L, TimeUnit.SECONDS);
        deployApplication.delete();
    }

    @Test
    @Category({SlowTests.class})
    public void testWorkerStreamAuth() throws Exception {
        createAuthNamespace();
        Authorizer authorizer = getAuthorizer();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), StreamAuthApp.class, new File[0]);
        authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
        authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
        WorkerManager workerManager = deployApplication.getWorkerManager(StreamAuthApp.WORKER);
        workerManager.start();
        workerManager.waitForFinish(5L, TimeUnit.SECONDS);
        try {
            workerManager.stop();
        } catch (Exception e) {
            Assert.assertTrue(e.getCause() instanceof BadRequestException);
        }
        StreamId stream = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
        StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.toId(), StreamAuthApp.STREAM);
        Assert.assertEquals(5L, streamManager.getEvents(0L, Long.MAX_VALUE, Integer.MAX_VALUE).size());
        authorizer.revoke(stream, ALICE, EnumSet.allOf(Action.class));
        authorizer.grant(stream, ALICE, EnumSet.of(Action.READ, Action.ADMIN, Action.EXECUTE));
        workerManager.start();
        workerManager.waitForFinish(5L, TimeUnit.SECONDS);
        try {
            workerManager.stop();
        } catch (Exception e2) {
            Assert.assertTrue(e2.getCause() instanceof BadRequestException);
        }
        authorizer.grant(stream, ALICE, EnumSet.allOf(Action.class));
        Assert.assertEquals(5L, streamManager.getEvents(0L, Long.MAX_VALUE, Integer.MAX_VALUE).size());
        deployApplication.delete();
        assertNoAccess(AUTH_NAMESPACE.app(StreamAuthApp.APP));
    }

    @Test
    @Category({SlowTests.class})
    public void testSparkStreamAuth() throws Exception {
        Throwable th;
        createAuthNamespace();
        Authorizer authorizer = getAuthorizer();
        StreamId stream = AUTH_NAMESPACE.stream(StreamAuthApp.STREAM);
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), StreamAuthApp.class, new File[0]);
        authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
        authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
        StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.toId(), StreamAuthApp.STREAM);
        streamManager.send("Hello");
        final SparkManager sparkManager = deployApplication.getSparkManager(StreamAuthApp.SPARK);
        sparkManager.start();
        sparkManager.waitForFinish(1L, TimeUnit.MINUTES);
        try {
            sparkManager.stop();
        } catch (Exception e) {
            Assert.assertTrue(e.getCause() instanceof BadRequestException);
        }
        KeyValueTable keyValueTable = (KeyValueTable) getDataset(AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get();
        Throwable th2 = null;
        try {
            try {
                Assert.assertArrayEquals(Bytes.toBytes("Hello"), keyValueTable.read("Hello"));
                if (keyValueTable != null) {
                    if (0 != 0) {
                        try {
                            keyValueTable.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        keyValueTable.close();
                    }
                }
                streamManager.send("World");
                authorizer.revoke(stream, ALICE, EnumSet.allOf(Action.class));
                authorizer.grant(stream, ALICE, EnumSet.of(Action.WRITE, Action.ADMIN, Action.EXECUTE));
                sparkManager.start();
                sparkManager.waitForFinish(1L, TimeUnit.MINUTES);
                try {
                    sparkManager.stop();
                } catch (Exception e2) {
                    Assert.assertTrue(e2.getCause() instanceof BadRequestException);
                }
                Tasks.waitFor(1, new Callable<Integer>() { // from class: co.cask.cdap.security.AuthorizationTest.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public Integer call() throws Exception {
                        return Integer.valueOf(sparkManager.getHistory(ProgramRunStatus.FAILED).size());
                    }
                }, 5L, TimeUnit.SECONDS);
                KeyValueTable keyValueTable2 = (KeyValueTable) getDataset(AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get();
                Throwable th4 = null;
                try {
                    Assert.assertNull(keyValueTable2.read("World"));
                    if (keyValueTable2 != null) {
                        if (0 != 0) {
                            try {
                                keyValueTable2.close();
                            } catch (Throwable th5) {
                                th4.addSuppressed(th5);
                            }
                        } else {
                            keyValueTable2.close();
                        }
                    }
                    authorizer.grant(stream, ALICE, ImmutableSet.of(Action.READ));
                    sparkManager.start();
                    sparkManager.waitForFinish(1L, TimeUnit.MINUTES);
                    try {
                        sparkManager.stop();
                    } catch (Exception e3) {
                        Assert.assertTrue(e3.getCause() instanceof BadRequestException);
                    }
                    Tasks.waitFor(2, new Callable<Integer>() { // from class: co.cask.cdap.security.AuthorizationTest.4
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.util.concurrent.Callable
                        public Integer call() throws Exception {
                            return Integer.valueOf(sparkManager.getHistory(ProgramRunStatus.COMPLETED).size());
                        }
                    }, 5L, TimeUnit.SECONDS);
                    keyValueTable = (KeyValueTable) getDataset(AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get();
                    th = null;
                } catch (Throwable th6) {
                    if (keyValueTable2 != null) {
                        if (0 != 0) {
                            try {
                                keyValueTable2.close();
                            } catch (Throwable th7) {
                                th4.addSuppressed(th7);
                            }
                        } else {
                            keyValueTable2.close();
                        }
                    }
                    throw th6;
                }
            } finally {
            }
            try {
                try {
                    Assert.assertArrayEquals(Bytes.toBytes("World"), keyValueTable.read("World"));
                    if (keyValueTable != null) {
                        if (0 != 0) {
                            try {
                                keyValueTable.close();
                            } catch (Throwable th8) {
                                th.addSuppressed(th8);
                            }
                        } else {
                            keyValueTable.close();
                        }
                    }
                    deployApplication.delete();
                    assertNoAccess(AUTH_NAMESPACE.app(StreamAuthApp.APP));
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    @Category({SlowTests.class})
    public void testMRStreamAuth() throws Exception {
        Throwable th;
        KeyValueTable keyValueTable;
        Throwable th2;
        createAuthNamespace();
        Authorizer authorizer = getAuthorizer();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), StreamAuthApp.class, new File[0]);
        authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
        authorizer.grant(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.ADMIN));
        StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.toId(), StreamAuthApp.STREAM);
        streamManager.send("Hello");
        final MapReduceManager mapReduceManager = deployApplication.getMapReduceManager(StreamAuthApp.MAPREDUCE);
        mapReduceManager.start();
        mapReduceManager.waitForFinish(1L, TimeUnit.MINUTES);
        try {
            mapReduceManager.stop();
        } catch (Exception e) {
            Assert.assertTrue(e.getCause() instanceof BadRequestException);
        }
        KeyValueTable keyValueTable2 = (KeyValueTable) getDataset(AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get();
        Throwable th3 = null;
        try {
            try {
                Assert.assertArrayEquals(Bytes.toBytes("Hello"), keyValueTable2.read("Hello"));
                if (keyValueTable2 != null) {
                    if (0 != 0) {
                        try {
                            keyValueTable2.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    } else {
                        keyValueTable2.close();
                    }
                }
                Tasks.waitFor(1, new Callable<Integer>() { // from class: co.cask.cdap.security.AuthorizationTest.5
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public Integer call() throws Exception {
                        return Integer.valueOf(mapReduceManager.getHistory(ProgramRunStatus.COMPLETED).size());
                    }
                }, 5L, TimeUnit.SECONDS);
                ProgramId mr = AUTH_NAMESPACE.app(StreamAuthApp.APP).mr(StreamAuthApp.MAPREDUCE);
                authorizer.grant(mr.getNamespaceId(), BOB, ImmutableSet.of(Action.ADMIN));
                ArtifactSummary artifact = deployApplication.getInfo().getArtifact();
                authorizer.grant(AUTH_NAMESPACE.artifact(artifact.getName(), artifact.getVersion()), BOB, EnumSet.allOf(Action.class));
                authorizer.grant(mr.getParent(), BOB, EnumSet.allOf(Action.class));
                authorizer.grant(mr, BOB, EnumSet.allOf(Action.class));
                authorizer.grant(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM), BOB, EnumSet.of(Action.ADMIN));
                authorizer.grant(AUTH_NAMESPACE.dataset(StreamAuthApp.KVTABLE), BOB, EnumSet.allOf(Action.class));
                streamManager.send("World");
                SecurityRequestContext.setUserId(BOB.getName());
                mapReduceManager.start();
                mapReduceManager.waitForFinish(1L, TimeUnit.MINUTES);
                try {
                    mapReduceManager.stop();
                } catch (Exception e2) {
                    Assert.assertTrue(e2.getCause() instanceof BadRequestException);
                }
                Tasks.waitFor(1, new Callable<Integer>() { // from class: co.cask.cdap.security.AuthorizationTest.6
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public Integer call() throws Exception {
                        return Integer.valueOf(mapReduceManager.getHistory(ProgramRunStatus.FAILED).size());
                    }
                }, 5L, TimeUnit.SECONDS);
                keyValueTable2 = (KeyValueTable) getDataset(AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get();
                th = null;
            } finally {
            }
            try {
                try {
                    Assert.assertNull(keyValueTable2.read("World"));
                    if (keyValueTable2 != null) {
                        if (0 != 0) {
                            try {
                                keyValueTable2.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            keyValueTable2.close();
                        }
                    }
                    authorizer.grant(AUTH_NAMESPACE.stream(StreamAuthApp.STREAM), BOB, ImmutableSet.of(Action.READ));
                    mapReduceManager.start();
                    mapReduceManager.waitForFinish(1L, TimeUnit.MINUTES);
                    try {
                        mapReduceManager.stop();
                    } catch (Exception e3) {
                        Assert.assertTrue(e3.getCause() instanceof BadRequestException);
                    }
                    Tasks.waitFor(2, new Callable<Integer>() { // from class: co.cask.cdap.security.AuthorizationTest.7
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.util.concurrent.Callable
                        public Integer call() throws Exception {
                            return Integer.valueOf(mapReduceManager.getHistory(ProgramRunStatus.COMPLETED).size());
                        }
                    }, 5L, TimeUnit.SECONDS);
                    keyValueTable = (KeyValueTable) getDataset(AUTH_NAMESPACE.toId(), StreamAuthApp.KVTABLE).get();
                    th2 = null;
                } finally {
                }
                try {
                    try {
                        Assert.assertEquals("World", Bytes.toString(keyValueTable.read("World")));
                        if (keyValueTable != null) {
                            if (0 != 0) {
                                try {
                                    keyValueTable.close();
                                } catch (Throwable th6) {
                                    th2.addSuppressed(th6);
                                }
                            } else {
                                keyValueTable.close();
                            }
                        }
                        SecurityRequestContext.setUserId(ALICE.getName());
                        deployApplication.delete();
                        assertNoAccess(AUTH_NAMESPACE.app(StreamAuthApp.APP));
                    } finally {
                    }
                } finally {
                    if (keyValueTable != null) {
                        if (th2 != null) {
                            try {
                                keyValueTable.close();
                            } catch (Throwable th7) {
                                th2.addSuppressed(th7);
                            }
                        } else {
                            keyValueTable.close();
                        }
                    }
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    @Category({SlowTests.class})
    public void testApps() throws Exception {
        try {
            deployApplication(NamespaceId.DEFAULT.toId(), DummyApp.class, new File[0]);
            Assert.fail("App deployment should fail because alice does not have WRITE access on the default namespace");
        } catch (RuntimeException e) {
            Assert.assertTrue(e.getCause() instanceof UnauthorizedException);
        }
        createAuthNamespace();
        Authorizer authorizer = getAuthorizer();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), DummyApp.class, new File[0]);
        ApplicationId app = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
        ArtifactSummary artifact = deployApplication.getInfo().getArtifact();
        ArtifactId artifact2 = Ids.namespace(app.getNamespace()).artifact(artifact.getName(), artifact.getVersion());
        ProgramId service = app.service("Greeting");
        DatasetId dataset = AUTH_NAMESPACE.dataset("whom");
        StreamId stream = AUTH_NAMESPACE.stream("who");
        assertAllAccess(ALICE, AUTH_NAMESPACE, app, artifact2, service, dataset, stream);
        Assert.assertTrue("Bob should not have any privileges on alice's app", authorizer.listPrivileges(BOB).isEmpty());
        String version = artifact.getVersion();
        deployApplication.update(new AppRequest(artifact));
        SecurityRequestContext.setUserId(BOB.getName());
        try {
            deployApplication.update(new AppRequest(new ArtifactSummary(DummyApp.class.getSimpleName(), version)));
            Assert.fail("App update should have failed because Alice does not have admin privileges on the app.");
        } catch (Exception e2) {
        }
        grantAndAssertSuccess(app, BOB, ImmutableSet.of(Action.READ, Action.WRITE));
        try {
            deployApplication.delete();
        } catch (Exception e3) {
        }
        grantAndAssertSuccess(app, BOB, ImmutableSet.of(Action.ADMIN));
        try {
            deployApplication.delete();
            Assert.fail("Deletion should have failed since Bob don't have any privileges to namespace");
        } catch (Exception e4) {
        }
        grantAndAssertSuccess(AUTH_NAMESPACE, BOB, ImmutableSet.of(Action.READ));
        deployApplication.delete();
        Assert.assertFalse(getAuthorizer().createFilter(BOB).apply(app));
        assertAllAccess(ALICE, AUTH_NAMESPACE, artifact2, dataset, stream);
        authorizer.revoke(AUTH_NAMESPACE, BOB, ImmutableSet.of(Action.READ));
        Assert.assertTrue("Bob should not have any privileges because all privileges on the app have been revoked since the app got deleted", authorizer.listPrivileges(BOB).isEmpty());
        SecurityRequestContext.setUserId(ALICE.getName());
        ArtifactSummary artifact3 = deployApplication(AUTH_NAMESPACE.toId(), DummyApp.class, new File[0]).getInfo().getArtifact();
        ArtifactId artifact4 = AUTH_NAMESPACE.artifact(artifact3.getName(), artifact3.getVersion());
        ArtifactSummary artifact5 = deployApplication(AUTH_NAMESPACE.toId(), AllProgramsApp.class, new File[0]).getInfo().getArtifact();
        ArtifactId artifact6 = AUTH_NAMESPACE.artifact(artifact5.getName(), artifact5.getVersion());
        ApplicationId app2 = AUTH_NAMESPACE.app("App");
        ProgramId flow = app2.flow("NoOpFlow");
        ProgramId mr = app2.mr("NoOpMR");
        ProgramId mr2 = app2.mr("NoOpMR2");
        ProgramId spark = app2.spark("NoOpSpark");
        WorkflowId workflow = app2.workflow("NoOpWorkflow");
        ProgramId service2 = app2.service("NoOpService");
        ProgramId worker = app2.worker("NoOpWorker");
        DatasetId dataset2 = AUTH_NAMESPACE.dataset("kvt");
        DatasetId dataset3 = AUTH_NAMESPACE.dataset("kvt2");
        DatasetId dataset4 = AUTH_NAMESPACE.dataset("kvt3");
        DatasetId dataset5 = AUTH_NAMESPACE.dataset("dsWithSchema");
        StreamId stream2 = AUTH_NAMESPACE.stream("stream");
        assertAllAccess(ALICE, AUTH_NAMESPACE, artifact2, artifact4, artifact6, app, stream, app2, service, flow, mr, mr2, spark, workflow, service2, worker, dataset, dataset2, dataset3, dataset4, dataset5, stream2);
        authorizer.revoke(app2);
        authorizer.revoke(flow);
        authorizer.revoke(mr);
        authorizer.revoke(mr2);
        authorizer.revoke(spark);
        authorizer.revoke(workflow);
        authorizer.revoke(service2);
        authorizer.revoke(worker);
        assertAllAccess(ALICE, AUTH_NAMESPACE, artifact2, artifact4, artifact6, app, stream, service, dataset, dataset2, dataset3, dataset4, dataset5, stream2);
        authorizer.revoke(AUTH_NAMESPACE, ALICE, EnumSet.allOf(Action.class));
        grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.READ, Action.WRITE, Action.EXECUTE));
        try {
            deleteAllApplications(AUTH_NAMESPACE);
            Assert.fail("Deleting all applications in the namespace should have failed because alice does not have ADMIN privilege on the workflow app.");
        } catch (UnauthorizedException e5) {
        }
        grantAndAssertSuccess(app2, ALICE, ImmutableSet.of(Action.ADMIN));
        deleteAllApplications(AUTH_NAMESPACE);
        getAuthorizer().enforce(AUTH_NAMESPACE, ALICE, EnumSet.of(Action.READ, Action.WRITE, Action.EXECUTE));
        assertAllAccess(ALICE, artifact2, artifact4, artifact6, stream, dataset, dataset2, dataset3, dataset4, dataset5, stream2);
    }

    @Test
    public void testArtifacts() throws Exception {
        try {
            addAppArtifact(NamespaceId.DEFAULT.artifact("app-artifact", "1.1.1"), ConfigTestApp.class);
            Assert.fail("Should not be able to add an app artifact to the default namespace because alice does not have write privileges on the default namespace.");
        } catch (UnauthorizedException e) {
        }
        try {
            addAppArtifact(NamespaceId.DEFAULT.artifact("plugin-artifact", "1.2.3"), ToStringPlugin.class);
            Assert.fail("Should not be able to add a plugin artifact to the default namespace because alice does not have write privileges on the default namespace.");
        } catch (UnauthorizedException e2) {
        }
        createAuthNamespace();
        ArtifactId artifact = AUTH_NAMESPACE.artifact("app-artifact", "1.1.1");
        ArtifactManager addAppArtifact = addAppArtifact(artifact, ConfigTestApp.class);
        ArtifactId artifact2 = AUTH_NAMESPACE.artifact("plugin-artifact", "1.2.3");
        ArtifactManager addPluginArtifact = addPluginArtifact(artifact2, artifact, ToStringPlugin.class, new Class[0]);
        assertAllAccess(ALICE, AUTH_NAMESPACE, artifact, artifact2);
        SecurityRequestContext.setUserId(BOB.getName());
        try {
            addAppArtifact.writeProperties(ImmutableMap.of("authorized", "no"));
            Assert.fail("Writing properties to artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e3) {
        }
        try {
            addAppArtifact.delete();
            Assert.fail("Deleting artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e4) {
        }
        try {
            addPluginArtifact.writeProperties(ImmutableMap.of("authorized", "no"));
            Assert.fail("Writing properties to artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e5) {
        }
        try {
            addPluginArtifact.removeProperties();
            Assert.fail("Removing properties to artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e6) {
        }
        try {
            addPluginArtifact.delete();
            Assert.fail("Deleting artifact should have failed because Bob does not have admin privileges on the artifact");
        } catch (UnauthorizedException e7) {
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        addAppArtifact.writeProperties(ImmutableMap.of("authorized", "yes"));
        addAppArtifact.removeProperties();
        addAppArtifact.delete();
        addPluginArtifact.delete();
        assertNoAccess(artifact);
        assertNoAccess(artifact2);
    }

    @Test
    public void testPrograms() throws Exception {
        createAuthNamespace();
        final ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), DummyApp.class, new File[0]);
        ArtifactSummary artifact = deployApplication.getInfo().getArtifact();
        ArtifactId artifact2 = AUTH_NAMESPACE.artifact(artifact.getName(), artifact.getVersion());
        ApplicationId app = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName());
        final ProgramId service = app.service("Greeting");
        assertAllAccess(ALICE, AUTH_NAMESPACE, artifact2, app, service, AUTH_NAMESPACE.dataset("whom"), AUTH_NAMESPACE.stream("who"));
        deployApplication.startProgram(service.toId());
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(deployApplication.isRunning(service.toId()));
            }
        }, 5L, TimeUnit.SECONDS);
        ServiceManager serviceManager = deployApplication.getServiceManager(service.getProgram());
        serviceManager.setInstances(2);
        Assert.assertEquals(2L, serviceManager.getProvisionedInstances());
        ImmutableMap of = ImmutableMap.of("key", "value");
        serviceManager.setRuntimeArgs(of);
        deployApplication.stopProgram(service.toId());
        Tasks.waitFor(false, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(deployApplication.isRunning(service.toId()));
            }
        }, 5L, TimeUnit.SECONDS);
        SecurityRequestContext.setUserId(BOB.getName());
        try {
            deployApplication.startProgram(service.toId());
            Assert.fail("Bob should not be able to start the service because he does not have admin privileges on it.");
        } catch (RuntimeException e) {
            Assert.assertTrue(Throwables.getRootCause(e) instanceof UnauthorizedException);
        }
        try {
            deployApplication.getInfo();
            Assert.fail("Bob should not be able to read the app info with out privileges");
        } catch (Exception e2) {
        }
        try {
            serviceManager.setInstances(3);
            Assert.fail("Setting instances should have failed because bob does not have admin privileges on the service.");
        } catch (RuntimeException e3) {
            Assert.assertTrue(Throwables.getRootCause(e3) instanceof UnauthorizedException);
        }
        try {
            serviceManager.setRuntimeArgs(of);
            Assert.fail("Setting runtime arguments should have failed because bob does not have admin privileges on the service");
        } catch (UnauthorizedException e4) {
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        deployApplication.delete();
        assertNoAccess(app);
    }

    @Test
    public void testCrossNSFlowlet() throws Exception {
        createAuthNamespace();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), CrossNsDatasetAccessApp.class, new File[0]);
        grantAndAssertSuccess(AUTH_NAMESPACE, BOB, EnumSet.allOf(Action.class));
        SecurityRequestContext.setUserId(BOB.getName());
        StreamManager streamManager = getStreamManager(AUTH_NAMESPACE.toId(), CrossNsDatasetAccessApp.STREAM_NAME);
        for (int i = 0; i < 10; i++) {
            streamManager.send(String.valueOf(i).getBytes());
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        FlowManager flowManager = deployApplication.getFlowManager(CrossNsDatasetAccessApp.FLOW_NAME);
        testSystemDatasetAccessFromFlowlet(flowManager);
        testCrossNSDatasetAccessFromFlowlet(flowManager);
        deployApplication.stopAll();
    }

    private void testSystemDatasetAccessFromFlowlet(final FlowManager flowManager) throws Exception {
        addDatasetInstance(Id.Namespace.SYSTEM, "keyValueTable", "store");
        grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("store"), BOB, EnumSet.of(Action.WRITE));
        SecurityRequestContext.setUserId(BOB.getName());
        flowManager.start(ImmutableMap.of(CrossNsDatasetAccessApp.OUTPUT_DATASET_NS, NamespaceId.SYSTEM.getNamespace(), "output.dataset.name", "store"));
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.10
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(flowManager.isRunning());
            }
        }, 120L, TimeUnit.SECONDS);
        flowManager.stop();
        assertDatasetIsEmpty(NamespaceId.SYSTEM, "store");
        SecurityRequestContext.setUserId(ALICE.getName());
        deleteDatasetInstance(NamespaceId.SYSTEM, "store");
    }

    private void testCrossNSDatasetAccessFromFlowlet(final FlowManager flowManager) throws Exception {
        NamespaceMeta build = new NamespaceMeta.Builder().setName("outputNS").build();
        getNamespaceAdmin().create(build);
        addDatasetInstance(build.getNamespaceId().toId(), "keyValueTable", "store");
        SecurityRequestContext.setUserId(BOB.getName());
        ImmutableMap of = ImmutableMap.of(CrossNsDatasetAccessApp.OUTPUT_DATASET_NS, build.getNamespaceId().getNamespace(), "output.dataset.name", "store");
        flowManager.start(of);
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.11
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(flowManager.isRunning());
            }
        }, 120L, TimeUnit.SECONDS);
        flowManager.stop();
        SecurityRequestContext.setUserId(ALICE.getName());
        assertDatasetIsEmpty(build.getNamespaceId(), "store");
        grantAndAssertSuccess(build.getNamespaceId().dataset("store"), BOB, EnumSet.of(Action.WRITE));
        SecurityRequestContext.setUserId(BOB.getName());
        flowManager.start(of);
        flowManager.getFlowletMetrics("saver").waitForProcessed(10L, 30L, TimeUnit.SECONDS);
        SecurityRequestContext.setUserId(ALICE.getName());
        KeyValueTable keyValueTable = (KeyValueTable) getDataset(build.getNamespaceId().toId(), "store").get();
        for (int i = 0; i < 10; i++) {
            byte[] bytes = String.valueOf(i).getBytes(Charsets.UTF_8);
            Assert.assertArrayEquals(bytes, keyValueTable.read(bytes));
        }
        flowManager.stop();
        getNamespaceAdmin().delete(build.getNamespaceId().toId());
    }

    @Test
    public void testCrossNSMapReduce() throws Exception {
        createAuthNamespace();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), DatasetCrossNSAccessWithMAPApp.class, new File[0]);
        grantAndAssertSuccess(AUTH_NAMESPACE, BOB, EnumSet.allOf(Action.class));
        MapReduceManager mapReduceManager = deployApplication.getMapReduceManager("copymr");
        testCrossNSSystemDatasetAccessWithAuthMapReduce(mapReduceManager);
        testCrossNSDatasetAccessWithAuthMapReduce(mapReduceManager);
        deployApplication.stopAll();
    }

    private void testCrossNSSystemDatasetAccessWithAuthMapReduce(MapReduceManager mapReduceManager) throws Exception {
        addDatasetInstance(Id.Namespace.SYSTEM, "keyValueTable", "table1").create();
        addDatasetInstance(Id.Namespace.SYSTEM, "keyValueTable", "table2").create();
        NamespaceMeta build = new NamespaceMeta.Builder().setName("otherNS").build();
        getNamespaceAdmin().create(build);
        addDatasetInstance(build.getNamespaceId().toId(), "keyValueTable", "otherTable").create();
        addDummyData(NamespaceId.SYSTEM, "table1");
        ImmutableMap of = ImmutableMap.of("input.dataset.namespace", NamespaceId.SYSTEM.getNamespace(), "input.dataset.name", "table1", "output.dataset.namespace", build.getNamespaceId().getNamespace(), "output.dataset.name", "otherTable");
        grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ));
        grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE));
        grantAndAssertSuccess(build.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS);
        SecurityRequestContext.setUserId(BOB.getName());
        assertProgramFailure(of, mapReduceManager);
        assertDatasetIsEmpty(build.getNamespaceId(), "otherTable");
        ImmutableMap of2 = ImmutableMap.of("input.dataset.namespace", build.getName(), "input.dataset.name", "otherTable", "output.dataset.namespace", NamespaceId.SYSTEM.getNamespace(), "output.dataset.name", "table2");
        addDummyData(build.getNamespaceId(), "otherTable");
        assertProgramFailure(of2, mapReduceManager);
        assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2");
        SecurityRequestContext.setUserId(ALICE.getName());
        deleteDatasetInstance(NamespaceId.SYSTEM, "table1");
        deleteDatasetInstance(NamespaceId.SYSTEM, "table2");
        getNamespaceAdmin().delete(build.getNamespaceId().toId());
    }

    private void testCrossNSDatasetAccessWithAuthMapReduce(MapReduceManager mapReduceManager) throws Exception {
        NamespaceMeta build = new NamespaceMeta.Builder().setName("inputNS").build();
        getNamespaceAdmin().create(build);
        NamespaceMeta build2 = new NamespaceMeta.Builder().setName("outputNS").build();
        getNamespaceAdmin().create(build2);
        addDatasetInstance(build.getNamespaceId().toId(), "keyValueTable", "table1").create();
        addDatasetInstance(build2.getNamespaceId().toId(), "keyValueTable", "table2").create();
        addDummyData(build.getNamespaceId(), "table1");
        ImmutableMap of = ImmutableMap.of("input.dataset.namespace", build.getNamespaceId().getNamespace(), "input.dataset.name", "table1", "output.dataset.namespace", build2.getNamespaceId().getNamespace(), "output.dataset.name", "table2");
        SecurityRequestContext.setUserId(BOB.getName());
        assertProgramFailure(of, mapReduceManager);
        SecurityRequestContext.setUserId(ALICE.getName());
        assertDatasetIsEmpty(build2.getNamespaceId(), "table2");
        grantAndAssertSuccess(build.getNamespaceId().dataset("table1"), BOB, EnumSet.of(Action.READ));
        SecurityRequestContext.setUserId(BOB.getName());
        assertProgramFailure(of, mapReduceManager);
        SecurityRequestContext.setUserId(ALICE.getName());
        assertDatasetIsEmpty(build2.getNamespaceId(), "table2");
        grantAndAssertSuccess(build2.getNamespaceId().dataset("table2"), BOB, EnumSet.of(Action.WRITE));
        SecurityRequestContext.setUserId(BOB.getName());
        mapReduceManager.start(of);
        mapReduceManager.waitForFinish(5L, TimeUnit.MINUTES);
        SecurityRequestContext.setUserId(ALICE.getName());
        verifyDummyData(build2.getNamespaceId(), "table2");
        getNamespaceAdmin().delete(build.getNamespaceId().toId());
        getNamespaceAdmin().delete(build2.getNamespaceId().toId());
    }

    @Test
    public void testCrossNSSpark() throws Exception {
        createAuthNamespace();
        grantAndAssertSuccess(AUTH_NAMESPACE, BOB, ALL_ACTIONS);
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), TestSparkCrossNSDatasetApp.class, new File[0]);
        SparkManager sparkManager = deployApplication.getSparkManager(TestSparkCrossNSDatasetApp.SparkCrossNSDatasetProgram.class.getSimpleName());
        testCrossNSSystemDatasetAccessWithAuthSpark(sparkManager);
        testCrossNSDatasetAccessWithAuthSpark(sparkManager);
        deployApplication.stopAll();
    }

    private void testCrossNSSystemDatasetAccessWithAuthSpark(SparkManager sparkManager) throws Exception {
        addDatasetInstance(Id.Namespace.SYSTEM, "keyValueTable", "table1").create();
        addDatasetInstance(Id.Namespace.SYSTEM, "keyValueTable", "table2").create();
        NamespaceMeta build = new NamespaceMeta.Builder().setName("otherNS").build();
        getNamespaceAdmin().create(build);
        addDatasetInstance(build.getNamespaceId().toId(), "keyValueTable", "otherTable").create();
        addDummyData(NamespaceId.SYSTEM, "table1");
        grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table1"), BOB, EnumSet.of(Action.READ));
        grantAndAssertSuccess(NamespaceId.SYSTEM.dataset("table2"), BOB, EnumSet.of(Action.WRITE));
        grantAndAssertSuccess(build.getNamespaceId().dataset("otherTable"), BOB, ALL_ACTIONS);
        SecurityRequestContext.setUserId(BOB.getName());
        assertProgramFailure(ImmutableMap.of("input.dataset.namespace", NamespaceId.SYSTEM.getNamespace(), "input.dataset.name", "table1", "output.dataset.namespace", build.getNamespaceId().getNamespace(), "output.dataset.name", "otherTable"), sparkManager);
        assertDatasetIsEmpty(build.getNamespaceId(), "otherTable");
        ImmutableMap of = ImmutableMap.of("input.dataset.namespace", build.getNamespaceId().getNamespace(), "input.dataset.name", "otherTable", "output.dataset.namespace", NamespaceId.SYSTEM.getNamespace(), "output.dataset.name", "table2");
        addDummyData(build.getNamespaceId(), "otherTable");
        assertProgramFailure(of, sparkManager);
        assertDatasetIsEmpty(NamespaceId.SYSTEM, "table2");
        SecurityRequestContext.setUserId(ALICE.getName());
        deleteDatasetInstance(NamespaceId.SYSTEM, "table1");
        deleteDatasetInstance(NamespaceId.SYSTEM, "table2");
        getNamespaceAdmin().delete(build.getNamespaceId().toId());
    }

    private void testCrossNSDatasetAccessWithAuthSpark(SparkManager sparkManager) throws Exception {
        NamespaceMeta build = new NamespaceMeta.Builder().setName("inputDatasetNS").build();
        NamespaceMeta build2 = new NamespaceMeta.Builder().setName("outputDatasetNS").build();
        getNamespaceAdmin().create(build);
        getNamespaceAdmin().create(build2);
        addDatasetInstance(build.getNamespaceId().toId(), "keyValueTable", DatasetWithMRApp.INPUT_KEY).create();
        addDatasetInstance(build2.getNamespaceId().toId(), "keyValueTable", "output").create();
        addDummyData(build.getNamespaceId(), DatasetWithMRApp.INPUT_KEY);
        SecurityRequestContext.setUserId(BOB.getName());
        ImmutableMap of = ImmutableMap.of("input.dataset.namespace", build.getNamespaceId().getNamespace(), "input.dataset.name", DatasetWithMRApp.INPUT_KEY, "output.dataset.namespace", build2.getNamespaceId().getNamespace(), "output.dataset.name", "output");
        assertProgramFailure(of, sparkManager);
        SecurityRequestContext.setUserId(ALICE.getName());
        assertDatasetIsEmpty(build2.getNamespaceId(), "output");
        grantAndAssertSuccess(build.getNamespaceId().dataset(DatasetWithMRApp.INPUT_KEY), BOB, EnumSet.of(Action.READ));
        SecurityRequestContext.setUserId(BOB.getName());
        assertProgramFailure(of, sparkManager);
        SecurityRequestContext.setUserId(ALICE.getName());
        assertDatasetIsEmpty(build2.getNamespaceId(), "output");
        grantAndAssertSuccess(build2.getNamespaceId().dataset("output"), BOB, EnumSet.of(Action.WRITE));
        SecurityRequestContext.setUserId(BOB.getName());
        sparkManager.start(of);
        sparkManager.waitForFinish(120L, TimeUnit.SECONDS);
        SecurityRequestContext.setUserId(ALICE.getName());
        verifyDummyData(build2.getNamespaceId(), "output");
        getNamespaceAdmin().delete(build.getNamespaceId().toId());
        getNamespaceAdmin().delete(build2.getNamespaceId().toId());
    }

    /* JADX WARN: Finally extract failed */
    @Test
    public void testAddDropPartitions() throws Exception {
        createAuthNamespace();
        ApplicationManager deployApplication = deployApplication(AUTH_NAMESPACE.toId(), PartitionTestApp.class, new File[0]);
        grantAndAssertSuccess(AUTH_NAMESPACE, BOB, EnumSet.of(Action.READ, Action.EXECUTE));
        SecurityRequestContext.setUserId(BOB.getName());
        ServiceManager serviceManager = deployApplication.getServiceManager(PartitionTestApp.PFS_SERVICE_NAME);
        serviceManager.start();
        serviceManager.waitForStatus(true);
        URL serviceURL = serviceManager.getServiceURL();
        String format = String.format("partitions/%s/subpartitions/%s", "p1", "1");
        try {
            Assert.assertEquals(500L, HttpRequests.execute(HttpRequest.post(new URL(serviceURL, format)).withBody("some random text for pfs").build()).getResponseCode());
            serviceManager.stop();
            serviceManager.waitForFinish(5L, TimeUnit.SECONDS);
            grantAndAssertSuccess(AUTH_NAMESPACE.dataset("pfs"), BOB, EnumSet.of(Action.WRITE));
            serviceManager.start();
            serviceManager.waitForStatus(true);
            URL url = new URL(serviceManager.getServiceURL(), format);
            try {
                Assert.assertEquals(200L, HttpRequests.execute(HttpRequest.post(url).withBody("some random text for pfs").build()).getResponseCode());
                HttpResponse execute = HttpRequests.execute(HttpRequest.get(url).build());
                Assert.assertEquals(200L, execute.getResponseCode());
                Assert.assertEquals("some random text for pfs", execute.getResponseBodyAsString());
                Assert.assertEquals(200L, HttpRequests.execute(HttpRequest.delete(url).build()).getResponseCode());
                serviceManager.stop();
                serviceManager.waitForFinish(5L, TimeUnit.SECONDS);
                SecurityRequestContext.setUserId(ALICE.getName());
            } catch (Throwable th) {
                serviceManager.stop();
                serviceManager.waitForFinish(5L, TimeUnit.SECONDS);
                SecurityRequestContext.setUserId(ALICE.getName());
                throw th;
            }
        } catch (Throwable th2) {
            serviceManager.stop();
            serviceManager.waitForFinish(5L, TimeUnit.SECONDS);
            throw th2;
        }
    }

    @After
    public void cleanupTest() throws Exception {
        Authorizer authorizer = getAuthorizer();
        grantAndAssertSuccess(AUTH_NAMESPACE, SecurityRequestContext.toPrincipal(), EnumSet.allOf(Action.class));
        getNamespaceAdmin().delete(AUTH_NAMESPACE.toId());
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        revokeAndAssertSuccess(instance);
    }

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityRequestContext.setUserId(oldUser);
        finish();
    }

    private void createAuthNamespace() throws Exception {
        Authorizer authorizer = getAuthorizer();
        grantAndAssertSuccess(instance, ALICE, ImmutableSet.of(Action.ADMIN));
        getNamespaceAdmin().create(AUTH_NAMESPACE_META);
        Assert.assertEquals(ImmutableSet.of(new Privilege(instance, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.ADMIN), new Privilege(AUTH_NAMESPACE, Action.READ), new Privilege(AUTH_NAMESPACE, Action.WRITE), new Privilege(AUTH_NAMESPACE, Action.EXECUTE)), authorizer.listPrivileges(ALICE));
    }

    private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        Authorizer authorizer = getAuthorizer();
        Set listPrivileges = authorizer.listPrivileges(principal);
        authorizer.grant(entityId, principal, set);
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            builder.add(new Privilege(entityId, it.next()));
        }
        Assert.assertEquals(Sets.union(listPrivileges, builder.build()), authorizer.listPrivileges(principal));
    }

    private void revokeAndAssertSuccess(EntityId entityId) throws Exception {
        getAuthorizer().revoke(entityId);
        assertNoAccess(entityId);
    }

    private void assertNoAccess(final EntityId entityId) throws Exception {
        Authorizer authorizer = getAuthorizer();
        Predicate<Privilege> predicate = new Predicate<Privilege>() { // from class: co.cask.cdap.security.AuthorizationTest.12
            public boolean apply(Privilege privilege) {
                return entityId.equals(privilege.getEntity());
            }
        };
        Assert.assertTrue(Sets.filter(authorizer.listPrivileges(ALICE), predicate).isEmpty());
        Assert.assertTrue(Sets.filter(authorizer.listPrivileges(BOB), predicate).isEmpty());
    }

    private void assertDatasetIsEmpty(NamespaceId namespaceId, String str) throws Exception {
        CloseableIterator scan = ((KeyValueTable) getDataset(namespaceId.toId(), str).get()).scan((byte[]) null, (byte[]) null);
        Throwable th = null;
        try {
            try {
                Assert.assertFalse(scan.hasNext());
                if (scan != null) {
                    if (0 == 0) {
                        scan.close();
                        return;
                    }
                    try {
                        scan.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (scan != null) {
                if (th != null) {
                    try {
                        scan.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    scan.close();
                }
            }
            throw th4;
        }
    }

    private <T extends ProgramManager> void assertProgramFailure(Map<String, String> map, final ProgramManager<T> programManager) throws TimeoutException, InterruptedException, ExecutionException {
        programManager.start(map);
        programManager.waitForFinish(5L, TimeUnit.MINUTES);
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.security.AuthorizationTest.13
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                Iterator it = programManager.getHistory().iterator();
                while (it.hasNext()) {
                    if (((RunRecord) it.next()).getStatus() != ProgramRunStatus.FAILED) {
                        return false;
                    }
                }
                return true;
            }
        }, 120L, TimeUnit.SECONDS, "Not all program runs have failed status. Expected all run status to be failed");
    }

    private void assertAllAccess(Principal principal, EntityId... entityIdArr) throws Exception {
        for (EntityId entityId : entityIdArr) {
            getAuthorizer().enforce(entityId, principal, EnumSet.allOf(Action.class));
        }
    }

    private void addDummyData(NamespaceId namespaceId, String str) throws Exception {
        DataSetManager dataset = getDataset(namespaceId.toId(), str);
        ((KeyValueTable) dataset.get()).write("hello", "world");
        dataset.flush();
    }

    private void verifyDummyData(NamespaceId namespaceId, String str) throws Exception {
        Assert.assertEquals("world", Bytes.toString(((KeyValueTable) getDataset(namespaceId.toId(), str).get()).read("hello")));
    }
}
