package io.trino.server.security.oauth2;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import io.airlift.http.client.HttpClientConfig;
import io.airlift.http.client.jetty.JettyHttpClient;
import io.airlift.log.Logging;
import io.airlift.testing.Closeables;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.DefaultClaims;
import io.trino.client.OkHttpUtil;
import io.trino.server.security.jwt.JwkService;
import io.trino.server.security.jwt.JwkSigningKeyResolver;
import io.trino.server.security.jwt.JwtAuthenticatorConfig;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.server.ui.WebUiModule;
import io.trino.testng.services.Flaky;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.MalformedURLException;
import java.net.ServerSocket;
import java.net.URI;
import java.net.URL;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.time.Instant;
import java.util.List;
import java.util.UUID;
import javax.ws.rs.core.Response;
import okhttp3.Cookie;
import okhttp3.CookieJar;
import okhttp3.HttpUrl;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.assertj.core.api.Assertions;
import org.openqa.selenium.By;
import org.openqa.selenium.Cookie;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.chrome.ChromeOptions;
import org.openqa.selenium.remote.RemoteWebDriver;
import org.openqa.selenium.support.ui.ExpectedConditions;
import org.openqa.selenium.support.ui.WebDriverWait;
import org.testcontainers.Testcontainers;
import org.testcontainers.containers.BrowserWebDriverContainer;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@Test(singleThreaded = true)
/* loaded from: input_file:io/trino/server/security/oauth2/TestOAuth2WebUiAuthenticationFilter.class */
public class TestOAuth2WebUiAuthenticationFilter {
    private static final String TRINO_CLIENT_ID = "trino-client";
    private static final String TRINO_CLIENT_SECRET = "trino-secret";
    private static final String TRUSTED_CLIENT_ID = "trusted-client";
    private static final String TRUSTED_CLIENT_SECRET = "trusted-secret";
    private static final String UNTRUSTED_CLIENT_ID = "untrusted-client";
    private static final String UNTRUSTED_CLIENT_SECRET = "untrusted-secret";
    private static final String UNTRUSTED_CLIENT_AUDIENCE = "https://untrusted.com";
    private final TestingHydraIdentityProvider hydraIdP = new TestingHydraIdentityProvider();
    private final OkHttpClient httpClient;
    private TestingTrinoServer server;
    private URI serverUri;
    private static final int HTTPS_PORT = findAvailablePort();
    private static final String EXPOSED_SERVER_URL = String.format("https://host.testcontainers.internal:%d", Integer.valueOf(HTTPS_PORT));
    private static final String TRINO_AUDIENCE = EXPOSED_SERVER_URL + "/ui";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/oauth2/TestOAuth2WebUiAuthenticationFilter$AuthenticationAssertion.class */
    public interface AuthenticationAssertion {
        void assertWith(WebDriver webDriver, WebDriverWait webDriverWait) throws Exception;
    }

    public TestOAuth2WebUiAuthenticationFilter() {
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        OkHttpUtil.setupInsecureSsl(builder);
        builder.followRedirects(false);
        this.httpClient = builder.build();
    }

    @BeforeClass
    public void setup() throws Exception {
        Logging.initialize();
        Testcontainers.exposeHostPorts(new int[]{HTTPS_PORT});
        this.hydraIdP.start();
        this.hydraIdP.createClient(TRINO_CLIENT_ID, TRINO_CLIENT_SECRET, TokenEndpointAuthMethod.CLIENT_SECRET_BASIC, TRINO_AUDIENCE, EXPOSED_SERVER_URL + "/oauth2/callback");
        this.hydraIdP.createClient(TRUSTED_CLIENT_ID, TRUSTED_CLIENT_SECRET, TokenEndpointAuthMethod.CLIENT_SECRET_POST, TRINO_AUDIENCE, EXPOSED_SERVER_URL + "/oauth2/callback");
        this.hydraIdP.createClient(UNTRUSTED_CLIENT_ID, UNTRUSTED_CLIENT_SECRET, TokenEndpointAuthMethod.CLIENT_SECRET_POST, UNTRUSTED_CLIENT_AUDIENCE, "https://untrusted.com/callback");
        this.server = TestingTrinoServer.builder().setCoordinator(true).setAdditionalModule(new WebUiModule()).setProperties(ImmutableMap.builder().put("web-ui.enabled", "true").put("web-ui.authentication.type", "oauth2").put("http-server.https.port", Integer.toString(HTTPS_PORT)).put("http-server.https.enabled", "true").put("http-server.https.keystore.path", Resources.getResource("cert/localhost.pem").getPath()).put("http-server.https.keystore.key", "").put("http-server.authentication.oauth2.auth-url", "https://hydra:4444/oauth2/auth").put("http-server.authentication.oauth2.token-url", String.format("https://localhost:%s/oauth2/token", Integer.valueOf(this.hydraIdP.getHydraPort()))).put("http-server.authentication.oauth2.jwks-url", String.format("https://localhost:%s/.well-known/jwks.json", Integer.valueOf(this.hydraIdP.getHydraPort()))).put("http-server.authentication.oauth2.client-id", TRINO_CLIENT_ID).put("http-server.authentication.oauth2.client-secret", TRINO_CLIENT_SECRET).put("http-server.authentication.oauth2.audience", String.format("https://host.testcontainers.internal:%d/ui", Integer.valueOf(HTTPS_PORT))).put("http-server.authentication.oauth2.user-mapping.pattern", "(.*)(@.*)?").put("oauth2-jwk.http-client.trust-store-path", Resources.getResource("cert/localhost.pem").getPath()).build()).build();
        this.server.waitForNodeRefresh(Duration.ofSeconds(10L));
        this.serverUri = this.server.getHttpsBaseUrl();
    }

    @AfterClass(alwaysRun = true)
    public void tearDown() throws Exception {
        Closeables.closeAll(new AutoCloseable[]{this.server, this.hydraIdP});
    }

    @Test
    public void testUnauthorizedApiCall() throws IOException {
        Response execute = this.httpClient.newCall(apiCall().build()).execute();
        try {
            assertUnauthorizedResponse(execute);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testUnauthorizedUICall() throws IOException {
        Response execute = this.httpClient.newCall(uiCall().build()).execute();
        try {
            assertRedirectResponse(execute);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testUnsignedToken() throws NoSuchAlgorithmException, IOException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RS256;
        keyPairGenerator.initialize(4096);
        long epochSecond = Instant.now().getEpochSecond();
        Response execute = httpClientUsingCookie(new Cookie.Builder("__Secure-Trino-OAuth2-Token", Jwts.builder().setHeaderParam("alg", "RS256").setHeaderParam("kid", "public:f467aa08-1c1b-4cde-ba45-84b0ef5d2ba8").setHeaderParam("typ", "JWT").setClaims(new DefaultClaims(ImmutableMap.builder().put("aud", ImmutableList.of()).put("client_id", TRINO_CLIENT_ID).put("exp", Long.valueOf(epochSecond + 60)).put("iat", Long.valueOf(epochSecond)).put("iss", "https://hydra:4444/").put("jti", UUID.randomUUID()).put("nbf", Long.valueOf(epochSecond)).put("scp", ImmutableList.of("openid")).put("sub", "foo@bar.com").build())).signWith(signatureAlgorithm, keyPairGenerator.generateKeyPair().getPrivate()).compact()).build()).newCall(uiCall().build()).execute();
        try {
            assertRedirectResponse(execute);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testTokenWithInvalidAudience() throws IOException {
        Response execute = httpClientUsingCookie(new Cookie.Builder("__Secure-Trino-OAuth2-Token", this.hydraIdP.getToken(UNTRUSTED_CLIENT_ID, UNTRUSTED_CLIENT_SECRET, UNTRUSTED_CLIENT_AUDIENCE)).build()).newCall(uiCall().build()).execute();
        try {
            assertUnauthorizedResponse(execute);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testTokenFromTrustedClient() throws IOException {
        assertUICallWithCookie(new Cookie.Builder("__Secure-Trino-OAuth2-Token", this.hydraIdP.getToken(TRUSTED_CLIENT_ID, TRUSTED_CLIENT_SECRET, TRINO_AUDIENCE)).build());
    }

    @Flaky(issue = "https://github.com/trinodb/trino/issues/6223", match = "^")
    @Test
    public void testSuccessfulFlow() throws Exception {
        withSuccessfulAuthentication((webDriver, webDriverWait) -> {
            Cookie cookieNamed = getCookieNamed(webDriver, "__Secure-Trino-OAuth2-Token");
            assertTrinoCookie(cookieNamed);
            assertUICallWithCookie(cookieNamed);
        });
    }

    @Flaky(issue = "https://github.com/trinodb/trino/issues/6223", match = "^")
    @Test
    public void testExpiredAccessToken() throws Exception {
        withSuccessfulAuthentication((webDriver, webDriverWait) -> {
            Cookie cookieNamed = getCookieNamed(webDriver, "__Secure-Trino-OAuth2-Token");
            Thread.sleep(6000L);
            Response execute = httpClientUsingCookie(cookieNamed).newCall(uiCall().build()).execute();
            try {
                assertRedirectResponse(execute);
                if (execute != null) {
                    execute.close();
                }
            } catch (Throwable th) {
                if (execute != null) {
                    try {
                        execute.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        });
    }

    private Request.Builder uiCall() {
        return new Request.Builder().url(this.serverUri.resolve("/ui/").toString()).get();
    }

    private Request.Builder apiCall() {
        return new Request.Builder().url(this.serverUri.resolve("/ui/api/cluster").toString()).get();
    }

    private void withSuccessfulAuthentication(AuthenticationAssertion authenticationAssertion) throws Exception {
        BrowserWebDriverContainer<?> createChromeContainer = createChromeContainer();
        try {
            RemoteWebDriver webDriver = createChromeContainer.getWebDriver();
            webDriver.get(String.format("https://host.testcontainers.internal:%d/ui/", Integer.valueOf(HTTPS_PORT)));
            WebDriverWait webDriverWait = new WebDriverWait(webDriver, 5L);
            submitCredentials(webDriver, "foo@bar.com", "foobar", webDriverWait);
            giveConsent(webDriver, webDriverWait);
            webDriverWait.until(ExpectedConditions.urlMatches(String.format("https://host.testcontainers.internal:%d/ui/", Integer.valueOf(HTTPS_PORT))));
            authenticationAssertion.assertWith(webDriver, webDriverWait);
            if (createChromeContainer != null) {
                createChromeContainer.close();
            }
        } catch (Throwable th) {
            if (createChromeContainer != null) {
                try {
                    createChromeContainer.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private BrowserWebDriverContainer<?> createChromeContainer() {
        ChromeOptions chromeOptions = new ChromeOptions();
        chromeOptions.setAcceptInsecureCerts(true);
        BrowserWebDriverContainer<?> withCapabilities = new BrowserWebDriverContainer().withNetwork(this.hydraIdP.getNetwork()).withCapabilities(chromeOptions);
        withCapabilities.start();
        return withCapabilities;
    }

    private void submitCredentials(WebDriver webDriver, String str, String str2, WebDriverWait webDriverWait) {
        By id = By.id("email");
        webDriverWait.until(ExpectedConditions.elementToBeClickable(id));
        webDriver.findElement(id).sendKeys(new CharSequence[]{str});
        By id2 = By.id("password");
        webDriverWait.until(ExpectedConditions.elementToBeClickable(id2));
        webDriver.findElement(id2).sendKeys(new CharSequence[]{str2 + "\n"});
    }

    private void giveConsent(WebDriver webDriver, WebDriverWait webDriverWait) {
        By id = By.id("openid");
        webDriverWait.until(ExpectedConditions.elementToBeClickable(id));
        webDriver.findElement(id).click();
        By id2 = By.id("accept");
        webDriverWait.until(ExpectedConditions.elementToBeClickable(id2));
        webDriver.findElement(id2).click();
    }

    private void assertTrinoCookie(Cookie cookie) {
        Assertions.assertThat(cookie.getName()).isEqualTo("__Secure-Trino-OAuth2-Token");
        Assertions.assertThat(cookie.getDomain()).isEqualTo("host.testcontainers.internal");
        Assertions.assertThat(cookie.getPath()).isEqualTo("/ui/");
        Assertions.assertThat(cookie.isSecure()).isTrue();
        Assertions.assertThat(cookie.isHttpOnly()).isTrue();
        Assertions.assertThat(cookie.getValue()).isNotBlank();
        Jws<Claims> parseClaimsJws = Jwts.parser().setSigningKeyResolver(new JwkSigningKeyResolver(new JwkService(new JwtAuthenticatorConfig().setKeyFile("https://localhost:" + this.hydraIdP.getHydraPort() + "/.well-known/jwks.json"), new JettyHttpClient(new HttpClientConfig().setTrustStorePath(Resources.getResource("cert/localhost.pem").getPath()))))).parseClaimsJws(cookie.getValue());
        io.airlift.testing.Assertions.assertLessThan(Duration.between(cookie.getExpiry().toInstant(), ((Claims) parseClaimsJws.getBody()).getExpiration().toInstant()), Duration.ofSeconds(5L));
        assertAccessToken(parseClaimsJws);
    }

    private void assertAccessToken(Jws<Claims> jws) {
        Assertions.assertThat(((Claims) jws.getBody()).getSubject()).isEqualTo("foo@bar.com");
        Assertions.assertThat(((Claims) jws.getBody()).get("client_id")).isEqualTo(TRINO_CLIENT_ID);
        Assertions.assertThat(((Claims) jws.getBody()).getIssuer()).isEqualTo("https://hydra:4444/");
    }

    private void assertUICallWithCookie(Cookie cookie) throws IOException {
        Assertions.assertThat(httpClientUsingCookie(cookie).newCall(uiCall().build()).execute().code()).isEqualTo(Response.Status.OK.getStatusCode());
    }

    private static OkHttpClient httpClientUsingCookie(final Cookie cookie) {
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        OkHttpUtil.setupInsecureSsl(builder);
        builder.followRedirects(false);
        builder.cookieJar(new CookieJar() { // from class: io.trino.server.security.oauth2.TestOAuth2WebUiAuthenticationFilter.1
            public void saveFromResponse(HttpUrl httpUrl, List<okhttp3.Cookie> list) {
            }

            public List<okhttp3.Cookie> loadForRequest(HttpUrl httpUrl) {
                return ImmutableList.of(new Cookie.Builder().domain("localhost").path("/ui/").name("__Secure-Trino-OAuth2-Token").value(cookie.getValue()).httpOnly().secure().build());
            }
        });
        return builder.build();
    }

    private static int findAvailablePort() {
        try {
            ServerSocket serverSocket = new ServerSocket(0);
            try {
                int localPort = serverSocket.getLocalPort();
                serverSocket.close();
                return localPort;
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static void assertRedirectResponse(okhttp3.Response response) throws MalformedURLException {
        Assertions.assertThat(response.code()).isEqualTo(Response.Status.SEE_OTHER.getStatusCode());
        assertRedirectUrl(response.header("Location"));
    }

    private static void assertUnauthorizedResponse(okhttp3.Response response) throws IOException {
        Assertions.assertThat(response.code()).isEqualTo(Response.Status.UNAUTHORIZED.getStatusCode());
        Assertions.assertThat(response.body()).isNotNull();
        Assertions.assertThat(response.body().string()).isEqualTo("Unauthorized");
    }

    private static void assertRedirectUrl(String str) throws MalformedURLException {
        Assertions.assertThat(str).isNotNull();
        URL url = new URL(str);
        HttpUrl parse = HttpUrl.parse(str);
        Assertions.assertThat(parse).isNotNull();
        Assertions.assertThat(url.getProtocol()).isEqualTo("https");
        Assertions.assertThat(url.getHost()).isEqualTo("hydra");
        Assertions.assertThat(url.getPort()).isEqualTo(4444);
        Assertions.assertThat(url.getPath()).isEqualTo("/oauth2/auth");
        Assertions.assertThat(parse.queryParameterValues("response_type")).isEqualTo(ImmutableList.of("code"));
        Assertions.assertThat(parse.queryParameterValues("scope")).isEqualTo(ImmutableList.of("openid"));
        Assertions.assertThat(parse.queryParameterValues("redirect_uri")).isEqualTo(ImmutableList.of(String.format("https://127.0.0.1:%s/oauth2/callback", Integer.valueOf(HTTPS_PORT))));
        Assertions.assertThat(parse.queryParameterValues("client_id")).isEqualTo(ImmutableList.of(TRINO_CLIENT_ID));
        Assertions.assertThat(parse.queryParameterValues("state")).isNotNull();
    }

    private static org.openqa.selenium.Cookie getCookieNamed(WebDriver webDriver, String str) {
        org.openqa.selenium.Cookie cookieNamed = webDriver.manage().getCookieNamed(str);
        Assertions.assertThat(cookieNamed).withFailMessage(str + " is missing", new Object[0]).isNotNull();
        return cookieNamed;
    }
}
