package io.trino.server.security;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.io.Resources;
import com.google.inject.Key;
import com.google.inject.multibindings.OptionalBinder;
import io.airlift.http.client.HttpUriBuilder;
import io.airlift.http.server.HttpServerConfig;
import io.airlift.http.server.HttpServerInfo;
import io.airlift.http.server.testing.TestingHttpServer;
import io.airlift.jaxrs.JaxrsBinder;
import io.airlift.node.NodeInfo;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.trino.client.OkHttpUtil;
import io.trino.client.ProtocolHeaders;
import io.trino.plugin.base.security.AllowAllSystemAccessControl;
import io.trino.security.AccessControl;
import io.trino.security.AccessControlManager;
import io.trino.server.HttpRequestSessionContext;
import io.trino.server.security.ResourceSecurity;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.security.oauth2.OAuth2Service;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.server.ui.TestWebUi;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.PasswordAuthenticator;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.testing.assertions.Assert;
import java.io.File;
import java.io.IOException;
import java.net.CookieManager;
import java.net.HttpCookie;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.Principal;
import java.security.PrivateKey;
import java.time.Instant;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.inject.Inject;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.GET;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import okhttp3.Credentials;
import okhttp3.Headers;
import okhttp3.JavaNetCookieJar;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.ResponseBody;
import org.assertj.core.api.Assertions;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/server/security/TestResourceSecurity.class */
public class TestResourceSecurity {
    private static final String TEST_USER = "test-user";
    private static final String TEST_USER_LOGIN = "test-user@allowed";
    private static final String TEST_PASSWORD = "test-password";
    private static final String TEST_PASSWORD2 = "test-password-2";
    private static final String MANAGEMENT_USER = "management-user";
    private static final String MANAGEMENT_USER_LOGIN = "management-user@allowed";
    private static final String MANAGEMENT_PASSWORD = "management-password";
    private static final PrivateKey JWK_PRIVATE_KEY;
    private OkHttpClient client;
    private Path passwordConfigDummy;
    private static final String LOCALHOST_KEYSTORE = Resources.getResource("cert/localhost.pem").getPath();
    private static final String ALLOWED_USER_MAPPING_PATTERN = "(.*)@allowed";
    private static final ImmutableMap<String, String> SECURE_PROPERTIES = ImmutableMap.builder().put("http-server.https.enabled", "true").put("http-server.https.keystore.path", LOCALHOST_KEYSTORE).put("http-server.https.keystore.key", "").put("http-server.process-forwarded", "true").put("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build();
    private static final String HMAC_KEY = Resources.getResource("hmac_key.txt").getPath();
    private static final ObjectMapper json = new ObjectMapper();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$JwkServlet.class */
    public static class JwkServlet extends HttpServlet {
        private JwkServlet() {
        }

        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            httpServletResponse.getWriter().println(Resources.toString(Resources.getResource("jwk/jwk-public.json"), StandardCharsets.UTF_8));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$OAuthBearer.class */
    public static class OAuthBearer {
        private final String state;
        private final String tokenServer;
        private final HttpCookie nonceCookie;

        public OAuthBearer(String str, String str2, HttpCookie httpCookie) {
            this.state = (String) Objects.requireNonNull(str, "state is null");
            this.tokenServer = (String) Objects.requireNonNull(str2, "tokenServer is null");
            this.nonceCookie = (HttpCookie) Objects.requireNonNull(httpCookie, "nonce is null");
        }

        public String getState() {
            return this.state;
        }

        public String getTokenServer() {
            return this.tokenServer;
        }

        public HttpCookie getNonceCookie() {
            return this.nonceCookie;
        }
    }

    @javax.ws.rs.Path("/username")
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TestResource.class */
    public static class TestResource {
        private final AccessControl accessControl;

        @Inject
        public TestResource(AccessControl accessControl) {
            this.accessControl = accessControl;
        }

        @ResourceSecurity(ResourceSecurity.AccessType.AUTHENTICATED_USER)
        @GET
        public Response echoToken(@Context HttpServletRequest httpServletRequest, @Context HttpHeaders httpHeaders) {
            return Response.ok().header("user", HttpRequestSessionContext.extractAuthorizedIdentity(httpServletRequest, httpHeaders, Optional.empty(), this.accessControl, str -> {
                return ImmutableSet.of();
            }).getUser()).build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TestSystemAccessControl.class */
    public static class TestSystemAccessControl extends AllowAllSystemAccessControl {
        public static final TestSystemAccessControl WITH_IMPERSONATION = new TestSystemAccessControl(false);
        public static final TestSystemAccessControl NO_IMPERSONATION = new TestSystemAccessControl(true);
        private final boolean allowImpersonation;

        private TestSystemAccessControl(boolean z) {
            this.allowImpersonation = z;
        }

        public void checkCanImpersonateUser(SystemSecurityContext systemSecurityContext, String str) {
            if (this.allowImpersonation) {
                return;
            }
            AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
        }

        public void checkCanReadSystemInformation(SystemSecurityContext systemSecurityContext) {
            if (systemSecurityContext.getIdentity().getUser().equals(TestResourceSecurity.MANAGEMENT_USER)) {
                return;
            }
            AccessDeniedException.denyReadSystemInformationAccess();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TokenDTO.class */
    public static class TokenDTO {

        @JsonProperty
        String token;

        private TokenDTO() {
        }
    }

    @BeforeClass
    public void setup() throws IOException {
        OkHttpClient.Builder followRedirects = new OkHttpClient.Builder().followRedirects(false);
        OkHttpUtil.setupSsl(followRedirects, Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty());
        this.client = followRedirects.build();
        this.passwordConfigDummy = Files.createTempFile("passwordConfigDummy", "", new FileAttribute[0]);
        this.passwordConfigDummy.toFile().deleteOnExit();
    }

    @Test
    public void testInsecureAuthenticatorHttp() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().put("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            assertInsecureAuthentication(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testInsecureAuthenticatorHttps() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(SECURE_PROPERTIES).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertInsecureAuthentication(httpServerInfo.getHttpUri());
            assertInsecureAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testInsecureAuthenticatorHttpsOnly() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.allow-insecure-over-http", "false").build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertInsecureAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultiplePasswordAuthenticators() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate, TestResourceSecurity::authenticate2});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri(), TEST_PASSWORD, TEST_PASSWORD2);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultiplePasswordAuthenticatorsMessages() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate, TestResourceSecurity::authenticate2});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            okhttp3.Response execute = this.client.newCall(new Request.Builder().url(getAuthorizedUserLocation(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri())).headers(Headers.of(new String[]{"Authorization", Credentials.basic(TEST_USER_LOGIN, "wrong_password")})).build()).execute();
            try {
                Assertions.assertThat(execute.message()).isEqualTo("Access Denied: Invalid credentials | Access Denied: Invalid credentials2");
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticatorUserMapping() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).setAdditionalModule(binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
        }).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            okhttp3.Response execute = this.client.newCall(new Request.Builder().url(getLocation(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri(), "/username")).addHeader("Authorization", Credentials.basic(TEST_USER_LOGIN, TEST_PASSWORD)).addHeader("X-Trino-User", TEST_USER_LOGIN).build()).execute();
            try {
                Assert.assertEquals(execute.code(), 200);
                Assert.assertEquals(execute.header("user"), TEST_USER);
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticatorWithInsecureHttp() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertInsecureAuthentication(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttpInsecureEnabledOnly() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttpInsecureDisabledOnly() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "false").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertResponseCode(this.client, getPublicLocation(httpServerInfo.getHttpUri()), 200);
            assertResponseCode(this.client, getAuthorizedUserLocation(httpServerInfo.getHttpUri()), 403, TEST_USER_LOGIN, null);
            assertResponseCode(this.client, getManagementLocation(httpServerInfo.getHttpUri()), 200);
            assertResponseCode(this.client, getManagementLocation(httpServerInfo.getHttpUri()), 200, "unknown", "something");
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttps() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("management.user", MANAGEMENT_USER).put("management.user.https-enabled", "true").build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
            assertFixedManagementUser(httpServerInfo.getHttpsUri(), false);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testCertAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "certificate").put("http-server.https.truststore.path", LOCALHOST_KEYSTORE).put("http-server.https.truststore.key", "").build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            OkHttpClient.Builder newBuilder = this.client.newBuilder();
            OkHttpUtil.setupSsl(newBuilder, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty());
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), newBuilder.build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtAuthenticator() throws Exception {
        verifyJwtAuthenticator(Optional.empty());
        verifyJwtAuthenticator(Optional.of("custom-principal"));
    }

    private void verifyJwtAuthenticator(Optional<String> optional) throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).put("http-server.authentication.jwt.principal-field", optional.orElse("sub")).build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            JwtBuilder expiration = Jwts.builder().signWith(SignatureAlgorithm.HS256, Files.readString(Paths.get(HMAC_KEY, new String[0]))).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant()));
            if (optional.isPresent()) {
                expiration.claim(optional.get(), TEST_USER);
            } else {
                expiration.setSubject(TEST_USER);
            }
            String compact = expiration.compact();
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
            }).build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtWithJwkAuthenticator() throws Exception {
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", createTestingJwkServer.getBaseUrl().toString()).build()).build();
            try {
                ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
                HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
                assertAuthenticationDisabled(httpServerInfo.getHttpUri());
                String compact = Jwts.builder().signWith(SignatureAlgorithm.RS256, JWK_PRIVATE_KEY).setHeaderParam("kid", "test-rsa").setSubject(TEST_USER).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
                }).build());
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testOAuth2Authenticator() throws Exception {
        verifyOAuth2Authenticator(true, Optional.empty());
        verifyOAuth2Authenticator(false, Optional.empty());
        verifyOAuth2Authenticator(true, Optional.of("custom-principal"));
        verifyOAuth2Authenticator(false, Optional.of("custom-principal"));
    }

    private void verifyOAuth2Authenticator(boolean z, Optional<String> optional) throws Exception {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        Date from = Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant());
        JwtBuilder expiration = Jwts.builder().signWith(SignatureAlgorithm.RS256, JWK_PRIVATE_KEY).setHeaderParam("kid", "test-rsa").setIssuer(TestWebUi.TOKEN_ISSUER).setAudience(TestWebUi.OAUTH_CLIENT_ID).setExpiration(from);
        JwtBuilder expiration2 = Jwts.builder().signWith(SignatureAlgorithm.RS256, JWK_PRIVATE_KEY).setHeaderParam("kid", "test-rsa").setIssuer(TestWebUi.TOKEN_ISSUER).setAudience(TestWebUi.OAUTH_CLIENT_ID).setExpiration(from);
        if (optional.isPresent()) {
            expiration.claim(optional.get(), TEST_USER);
            expiration2.claim(optional.get(), TEST_USER);
        } else {
            expiration.setSubject(TEST_USER);
            expiration2.setSubject(TEST_USER);
        }
        String compact = expiration.compact();
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build2 = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "oauth2").put("web-ui.enabled", String.valueOf(z)).put("http-server.authentication.oauth2.issuer", TestWebUi.TOKEN_ISSUER).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.state-key", "test-state-key").put("http-server.authentication.oauth2.auth-url", TestWebUi.TOKEN_ISSUER).put("http-server.authentication.oauth2.token-url", TestWebUi.TOKEN_ISSUER).put("http-server.authentication.oauth2.client-id", TestWebUi.OAUTH_CLIENT_ID).put("http-server.authentication.oauth2.client-secret", "client-secret").put("http-server.authentication.oauth2.principal-field", optional.orElse("sub")).build()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(new OAuth2Client() { // from class: io.trino.server.security.TestResourceSecurity.1
                    public URI getAuthorizationUri(String str, URI uri, Optional<String> optional2) {
                        return URI.create("http://example.com/authorize?" + str);
                    }

                    public OAuth2Client.OAuth2Response getOAuth2Response(String str, URI uri) {
                        if ("TEST_CODE".equals(str)) {
                            return new OAuth2Client.OAuth2Response(compact, Optional.of(Instant.now().plus(5L, (TemporalUnit) ChronoUnit.MINUTES)), Optional.of(expiration2.compact()));
                        }
                        throw new IllegalArgumentException("Expected TEST_CODE");
                    }
                });
            }).build();
            try {
                ((AccessControlManager) build2.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
                HttpServerInfo httpServerInfo = (HttpServerInfo) build2.getInstance(Key.get(HttpServerInfo.class));
                assertAuthenticationDisabled(httpServerInfo.getHttpUri());
                URI httpsUri = httpServerInfo.getHttpsUri();
                assertOk(build, getPublicLocation(httpsUri));
                OAuthBearer assertAuthenticateOAuth2Bearer = assertAuthenticateOAuth2Bearer(build, getAuthorizedUserLocation(httpsUri), "http://example.com/authorize");
                assertAuthenticateOAuth2Bearer(build, getManagementLocation(httpsUri), "http://example.com/authorize");
                assertResponseCode(build, getInternalLocation(httpsUri), 403);
                expiration2.claim("nonce", OAuth2Service.hashNonce(assertAuthenticateOAuth2Bearer.getNonceCookie().getValue()));
                cookieManager.getCookieStore().add(cookieManager.getCookieStore().getURIs().get(0), assertAuthenticateOAuth2Bearer.getNonceCookie());
                assertOk(build, HttpUriBuilder.uriBuilderFrom(httpsUri).replacePath("/oauth2/callback/").addParameter("code", new String[]{"TEST_CODE"}).addParameter("state", new String[]{assertAuthenticateOAuth2Bearer.getState()}).toString());
                Assert.assertEquals(getOauthToken(build, assertAuthenticateOAuth2Bearer.getTokenServer()), compact);
                if (z) {
                    HttpCookie httpCookie = (HttpCookie) Iterables.getOnlyElement(cookieManager.getCookieStore().getCookies());
                    Assert.assertEquals(httpCookie.getValue(), compact);
                    Assert.assertEquals(httpCookie.getPath(), "/ui/");
                    Assert.assertEquals(httpCookie.getDomain(), httpsUri.getHost());
                    org.testng.Assert.assertTrue(httpCookie.getMaxAge() > 0 && httpCookie.getMaxAge() < TimeUnit.MINUTES.toSeconds(5L));
                    org.testng.Assert.assertTrue(httpCookie.isHttpOnly());
                    cookieManager.getCookieStore().removeAll();
                } else {
                    List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
                    org.testng.Assert.assertTrue(cookies.isEmpty(), "Expected no cookies when webUi is not enabled, but got: " + cookies);
                }
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), build.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
                }).build());
                if (build2 != null) {
                    build2.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    private static OAuthBearer assertAuthenticateOAuth2Bearer(OkHttpClient okHttpClient, String str, String str2) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(str).build()).execute();
        try {
            Assert.assertEquals(execute.code(), 401, str);
            String header = execute.header("WWW-Authenticate");
            org.testng.Assert.assertNotNull(header);
            Pattern compile = Pattern.compile("Bearer x_redirect_server=\"(https://127.0.0.1:[0-9]+/oauth2/token/initiate/.+)\", x_token_server=\"(https://127.0.0.1:[0-9]+/oauth2/token/.+)\"");
            Matcher matcher = compile.matcher(header);
            org.testng.Assert.assertTrue(matcher.matches(), String.format("Invalid authentication header.\nExpected: %s\nPattern: %s", header, compile));
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            if (execute != null) {
                execute.close();
            }
            Request build = new Request.Builder().url(group).build();
            execute = okHttpClient.newCall(build).execute();
            try {
                Assert.assertEquals(execute.code(), 303);
                String header2 = execute.header("Location");
                org.testng.Assert.assertNotNull(header2);
                Pattern compile2 = Pattern.compile(String.format("%s\\?(.+)", str2));
                Matcher matcher2 = compile2.matcher(header2);
                org.testng.Assert.assertTrue(matcher2.matches(), String.format("Invalid location header.\nExpected: %s\nPattern: %s", str2, compile2));
                HttpCookie httpCookie = HttpCookie.parse((String) Objects.requireNonNull(execute.header("Set-Cookie"))).get(0);
                httpCookie.setDomain(build.url().host());
                OAuthBearer oAuthBearer = new OAuthBearer(matcher2.group(1), group2, httpCookie);
                if (execute != null) {
                    execute.close();
                }
                return oAuthBearer;
            } finally {
            }
        } finally {
        }
    }

    private static String getOauthToken(OkHttpClient okHttpClient, String str) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(str).build()).execute();
        try {
            String str2 = ((TokenDTO) json.readValue(((ResponseBody) Objects.requireNonNull(execute.body())).string(), TokenDTO.class)).token;
            if (execute != null) {
                execute.close();
            }
            return str2;
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void assertInsecureAuthentication(URI uri) throws IOException {
        assertResponseCode(this.client, getManagementLocation(uri), 200, MANAGEMENT_USER_LOGIN, null);
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, "something");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 401);
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, "something");
        assertResponseCode(this.client, getManagementLocation(uri), 401, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 200, MANAGEMENT_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, "something");
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, MANAGEMENT_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getInternalLocation(uri), 403, MANAGEMENT_USER_LOGIN, null);
    }

    private void assertPasswordAuthentication(URI uri) throws IOException {
        assertPasswordAuthentication(uri, TEST_PASSWORD);
    }

    private void assertPasswordAuthentication(URI uri, String... strArr) throws IOException {
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, "invalid");
        for (String str : strArr) {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, str);
        }
        assertResponseCode(this.client, getManagementLocation(uri), 401);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, "invalid");
        for (String str2 : strArr) {
            assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, str2);
        }
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, "invalid");
        assertResponseCode(this.client, getManagementLocation(uri), 200, MANAGEMENT_USER_LOGIN, MANAGEMENT_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        for (String str3 : strArr) {
            assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, str3);
        }
    }

    private static void assertAuthenticationAutomatic(URI uri, OkHttpClient okHttpClient) throws IOException {
        assertResponseCode(okHttpClient, getPublicLocation(uri), 200);
        assertResponseCode(okHttpClient, getAuthorizedUserLocation(uri), 200);
        assertResponseCode(okHttpClient, getManagementLocation(uri), 403);
        assertResponseCode(okHttpClient, getManagementLocation(uri), 200, Headers.of(new String[]{ProtocolHeaders.TRINO_HEADERS.requestUser(), MANAGEMENT_USER}));
        assertResponseCode(okHttpClient, getInternalLocation(uri), 403);
    }

    private void assertAuthenticationDisabled(URI uri) throws IOException {
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getManagementLocation(uri), 403);
        assertResponseCode(this.client, getManagementLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getInternalLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
    }

    private void assertFixedManagementUser(URI uri, boolean z) throws IOException {
        assertResponseCode(this.client, getPublicLocation(uri), 200);
        if (z) {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, null);
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, "unknown", null);
        } else {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, TEST_PASSWORD);
        }
        assertResponseCode(this.client, getManagementLocation(uri), 200);
        assertResponseCode(this.client, getManagementLocation(uri), 200, "unknown", "something");
    }

    private static void assertOk(OkHttpClient okHttpClient, String str) throws IOException {
        assertResponseCode(okHttpClient, str, 200, null, null);
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i) throws IOException {
        assertResponseCode(okHttpClient, str, i, null, null);
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i, String str2, String str3) throws IOException {
        assertResponseCode(okHttpClient, str, i, Headers.of(new String[]{"Authorization", Credentials.basic((String) MoreObjects.firstNonNull(str2, ""), (String) MoreObjects.firstNonNull(str3, ""))}));
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i, Headers headers) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(str).headers(headers).build()).execute();
        try {
            Assert.assertEquals(execute.code(), i, str);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String getInternalLocation(URI uri) {
        return getLocation(uri, "/v1/task");
    }

    private static String getManagementLocation(URI uri) {
        return getLocation(uri, "/v1/node");
    }

    private static String getAuthorizedUserLocation(URI uri) {
        return getLocation(uri, "/v1/query");
    }

    private static String getPublicLocation(URI uri) {
        return getLocation(uri, "/v1/info");
    }

    private static String getLocation(URI uri, String str) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).toString();
    }

    private static Principal authenticate(String str, String str2) {
        if ((TEST_USER_LOGIN.equals(str) && TEST_PASSWORD.equals(str2)) || (MANAGEMENT_USER_LOGIN.equals(str) && MANAGEMENT_PASSWORD.equals(str2))) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials");
    }

    private static Principal authenticate2(String str, String str2) {
        if ((TEST_USER_LOGIN.equals(str) && TEST_PASSWORD2.equals(str2)) || (MANAGEMENT_USER_LOGIN.equals(str) && MANAGEMENT_PASSWORD.equals(str2))) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials2");
    }

    private static TestingHttpServer createTestingJwkServer() throws IOException {
        NodeInfo nodeInfo = new NodeInfo("test");
        HttpServerConfig httpPort = new HttpServerConfig().setHttpPort(0);
        return new TestingHttpServer(new HttpServerInfo(httpPort, nodeInfo), nodeInfo, httpPort, new JwkServlet(), ImmutableMap.of());
    }

    static {
        try {
            JWK_PRIVATE_KEY = PemReader.loadPrivateKey(new File(Resources.getResource("jwk/jwk-rsa-private.pem").getPath()), Optional.empty());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
