package io.trino.server.ui;

import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableSet;
import io.airlift.log.Logger;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtException;
import io.trino.server.ServletSecurityUtils;
import io.trino.server.security.UserMapping;
import io.trino.server.security.UserMappingException;
import io.trino.server.security.oauth2.NonceCookie;
import io.trino.server.security.oauth2.OAuth2CallbackResource;
import io.trino.server.security.oauth2.OAuth2Config;
import io.trino.server.security.oauth2.OAuth2Service;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.Identity;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;

/* loaded from: input_file:io/trino/server/ui/OAuth2WebUiAuthenticationFilter.class */
public class OAuth2WebUiAuthenticationFilter implements WebUiAuthenticationFilter {
    private static final Logger LOG = Logger.get(OAuth2WebUiAuthenticationFilter.class);
    private final OAuth2Service service;
    private final UserMapping userMapping;
    private final Optional<String> validAudience;

    @Inject
    public OAuth2WebUiAuthenticationFilter(OAuth2Service oAuth2Service, OAuth2Config oAuth2Config) {
        this.service = (OAuth2Service) Objects.requireNonNull(oAuth2Service, "service is null");
        Objects.requireNonNull(oAuth2Config, "oauth2Config is null");
        this.userMapping = UserMapping.createUserMapping(oAuth2Config.getUserMappingPattern(), oAuth2Config.getUserMappingFile());
        this.validAudience = oAuth2Config.getAudience();
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getRequestUri().getPath();
        if (path.equals("/ui/disabled.html")) {
            return;
        }
        if (!containerRequestContext.getSecurityContext().isSecure()) {
            if (path.startsWith("/ui/api/")) {
                ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, "Unauthorized", ImmutableSet.of("Trino-Form-Login"));
                return;
            } else {
                containerRequestContext.abortWith(Response.seeOther(FormWebUiAuthenticationFilter.DISABLED_LOCATION_URI).build());
                return;
            }
        }
        Optional<U> map = getAccessToken(containerRequestContext).map((v0) -> {
            return v0.getBody();
        });
        if (map.isEmpty()) {
            needAuthentication(containerRequestContext);
            return;
        }
        Object obj = ((Claims) map.get()).get("aud");
        if (!hasValidAudience(obj)) {
            LOG.debug("Invalid audience: %s. Expected audience to be equal to or contain: %s", new Object[]{obj, this.validAudience});
            ServletSecurityUtils.sendErrorMessage(containerRequestContext, Response.Status.UNAUTHORIZED, "Unauthorized");
            return;
        }
        try {
            String subject = ((Claims) map.get()).getSubject();
            ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, Identity.forUser(this.userMapping.mapUser(subject)).withPrincipal(new BasicPrincipal(subject)).build());
        } catch (UserMappingException e) {
            ServletSecurityUtils.sendErrorMessage(containerRequestContext, Response.Status.UNAUTHORIZED, (String) MoreObjects.firstNonNull(e.getMessage(), "Unauthorized"));
        }
    }

    private Optional<Jws<Claims>> getAccessToken(ContainerRequestContext containerRequestContext) {
        return OAuthWebUiCookie.read((Cookie) containerRequestContext.getCookies().get(OAuthWebUiCookie.OAUTH2_COOKIE)).flatMap(str -> {
            try {
                return Optional.ofNullable(this.service.parseClaimsJws(str));
            } catch (JwtException | IllegalArgumentException e) {
                LOG.debug("Unable to parse JWT token: " + e.getMessage(), new Object[]{e});
                return Optional.empty();
            }
        });
    }

    private void needAuthentication(ContainerRequestContext containerRequestContext) {
        if (containerRequestContext.getUriInfo().getRequestUri().getPath().startsWith("/ui/api/")) {
            ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, "Unauthorized", ImmutableSet.of("Trino-Form-Login"));
            return;
        }
        OAuth2Service.OAuthChallenge startWebUiChallenge = this.service.startWebUiChallenge(containerRequestContext.getUriInfo().getBaseUri().resolve(OAuth2CallbackResource.CALLBACK_ENDPOINT));
        Response.ResponseBuilder seeOther = Response.seeOther(startWebUiChallenge.getRedirectUrl());
        startWebUiChallenge.getNonce().ifPresent(str -> {
            seeOther.cookie(new NewCookie[]{NonceCookie.create(str, startWebUiChallenge.getChallengeExpiration())});
        });
        containerRequestContext.abortWith(seeOther.build());
    }

    private boolean hasValidAudience(Object obj) {
        if (this.validAudience.isEmpty()) {
            return true;
        }
        if (obj == null) {
            return false;
        }
        if (obj instanceof String) {
            return obj.equals(this.validAudience.get());
        }
        if (obj instanceof List) {
            return ((List) obj).contains(this.validAudience.get());
        }
        return false;
    }
}
