package io.trino.server.security;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.inject.Binder;
import com.google.inject.Module;
import com.google.inject.Provides;
import com.google.inject.Scopes;
import com.google.inject.multibindings.MapBinder;
import com.google.inject.multibindings.OptionalBinder;
import io.airlift.configuration.AbstractConfigurationAwareModule;
import io.airlift.configuration.ConditionalModule;
import io.airlift.configuration.ConfigBinder;
import io.airlift.configuration.ConfigurationAwareModule;
import io.airlift.discovery.server.DynamicAnnouncementResource;
import io.airlift.discovery.server.ServiceResource;
import io.airlift.discovery.store.StoreResource;
import io.airlift.http.server.HttpServer;
import io.airlift.http.server.HttpServerConfig;
import io.airlift.jaxrs.JaxrsBinder;
import io.airlift.jmx.MBeanResource;
import io.trino.server.security.jwt.JwtAuthenticator;
import io.trino.server.security.jwt.JwtAuthenticatorSupportModule;
import io.trino.server.security.oauth2.OAuth2AuthenticationSupportModule;
import io.trino.server.security.oauth2.OAuth2Authenticator;
import java.util.List;
import java.util.Locale;
import java.util.Map;

/* loaded from: input_file:io/trino/server/security/ServerSecurityModule.class */
public class ServerSecurityModule extends AbstractConfigurationAwareModule {
    protected void setup(Binder binder) {
        binder.bind(AuthenticationFilter.class);
        JaxrsBinder.jaxrsBinder(binder).bind(ResourceSecurityDynamicFeature.class);
        ResourceSecurityBinder.resourceSecurityBinder(binder).managementReadResource(ServiceResource.class).managementReadResource(MBeanResource.class).internalOnlyResource(DynamicAnnouncementResource.class).internalOnlyResource(StoreResource.class);
        OptionalBinder.newOptionalBinder(binder, PasswordAuthenticatorManager.class);
        binder.bind(CertificateAuthenticatorManager.class).in(Scopes.SINGLETON);
        insecureHttpAuthenticationDefaults();
        authenticatorBinder(binder);
        install(authenticatorModule("certificate", CertificateAuthenticator.class, binder2 -> {
            OptionalBinder.newOptionalBinder(binder2, HttpServer.ClientCertificate.class).setBinding().toInstance(HttpServer.ClientCertificate.REQUESTED);
            ConfigBinder.configBinder(binder2).bindConfig(CertificateConfig.class);
        }));
        installAuthenticator("kerberos", KerberosAuthenticator.class, KerberosConfig.class);
        install(authenticatorModule("password", PasswordAuthenticator.class, binder3 -> {
            ConfigBinder.configBinder(binder).bindConfig(PasswordAuthenticatorConfig.class);
            binder.bind(PasswordAuthenticatorManager.class).in(Scopes.SINGLETON);
        }));
        install(authenticatorModule("jwt", JwtAuthenticator.class, new JwtAuthenticatorSupportModule()));
        install(authenticatorModule("oauth2", OAuth2Authenticator.class, new OAuth2AuthenticationSupportModule()));
        ConfigBinder.configBinder(binder).bindConfig(InsecureAuthenticatorConfig.class);
        binder.bind(InsecureAuthenticator.class).in(Scopes.SINGLETON);
        install(authenticatorModule("insecure", InsecureAuthenticator.class, binder4 -> {
        }));
    }

    @Provides
    public List<Authenticator> getAuthenticatorList(SecurityConfig securityConfig, Map<String, Authenticator> map) {
        return (List) authenticationTypes(securityConfig).stream().map(str -> {
            Authenticator authenticator = (Authenticator) map.get(str);
            if (authenticator == null) {
                throw new RuntimeException("Unknown authenticator type: " + str);
            }
            return authenticator;
        }).collect(ImmutableList.toImmutableList());
    }

    public static Module authenticatorModule(String str, Class<? extends Authenticator> cls, Module module) {
        Preconditions.checkArgument(str.toLowerCase(Locale.ENGLISH).equals(str), "name is not lower case: %s", str);
        return ConditionalModule.installModuleIf(SecurityConfig.class, securityConfig -> {
            return authenticationTypes(securityConfig).contains(str);
        }, ConfigurationAwareModule.combine(new Module[]{module, binder -> {
            authenticatorBinder(binder).addBinding(str).to(cls).in(Scopes.SINGLETON);
        }}));
    }

    private void installAuthenticator(String str, Class<? extends Authenticator> cls, Class<?> cls2) {
        install(authenticatorModule(str, cls, binder -> {
            ConfigBinder.configBinder(binder).bindConfig(cls2);
        }));
    }

    private static MapBinder<String, Authenticator> authenticatorBinder(Binder binder) {
        return MapBinder.newMapBinder(binder, String.class, Authenticator.class);
    }

    private static List<String> authenticationTypes(SecurityConfig securityConfig) {
        return (List) securityConfig.getAuthenticationTypes().stream().map(str -> {
            return str.toLowerCase(Locale.ENGLISH);
        }).collect(ImmutableList.toImmutableList());
    }

    private void insecureHttpAuthenticationDefaults() {
        HttpServerConfig httpServerConfig = (HttpServerConfig) buildConfigObject(HttpServerConfig.class);
        SecurityConfig securityConfig = (SecurityConfig) buildConfigObject(SecurityConfig.class);
        if ((httpServerConfig.isHttpsEnabled() || httpServerConfig.isProcessForwarded()) && !securityConfig.getAuthenticationTypes().equals(ImmutableList.of("insecure"))) {
            install(binder -> {
                ConfigBinder.configBinder(binder).bindConfigDefaults(SecurityConfig.class, securityConfig2 -> {
                    securityConfig2.setInsecureAuthenticationOverHttpAllowed(false);
                });
            });
        }
    }
}
