package io.trino.server.security;

import com.google.common.base.Verify;
import io.trino.client.ProtocolDetectionException;
import io.trino.client.ProtocolHeaders;
import io.trino.server.ProtocolConfig;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import java.security.Principal;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedMap;

/* loaded from: input_file:io/trino/server/security/PasswordAuthenticator.class */
public class PasswordAuthenticator implements Authenticator {
    private final PasswordAuthenticatorManager authenticatorManager;
    private final UserMapping userMapping;
    private final Optional<String> alternateHeaderName;

    @Inject
    public PasswordAuthenticator(PasswordAuthenticatorManager passwordAuthenticatorManager, PasswordAuthenticatorConfig passwordAuthenticatorConfig, ProtocolConfig protocolConfig) {
        Objects.requireNonNull(passwordAuthenticatorConfig, "config is null");
        this.userMapping = UserMapping.createUserMapping(passwordAuthenticatorConfig.getUserMappingPattern(), passwordAuthenticatorConfig.getUserMappingFile());
        this.authenticatorManager = (PasswordAuthenticatorManager) Objects.requireNonNull(passwordAuthenticatorManager, "authenticatorManager is null");
        passwordAuthenticatorManager.setRequired();
        this.alternateHeaderName = protocolConfig.getAlternateHeaderName();
    }

    @Override // io.trino.server.security.Authenticator
    public Identity authenticate(ContainerRequestContext containerRequestContext) throws AuthenticationException {
        BasicAuthCredentials orElseThrow = BasicAuthCredentials.extractBasicAuthCredentials(containerRequestContext).orElseThrow(() -> {
            return needAuthentication(null);
        });
        String user = orElseThrow.getUser();
        String orElseThrow2 = orElseThrow.getPassword().orElseThrow(() -> {
            return new AuthenticationException("Malformed credentials: password is empty");
        });
        AuthenticationException authenticationException = null;
        Iterator<io.trino.spi.security.PasswordAuthenticator> it = this.authenticatorManager.getAuthenticators().iterator();
        while (it.hasNext()) {
            try {
                Principal createAuthenticatedPrincipal = it.next().createAuthenticatedPrincipal(user, orElseThrow2);
                String mapUser = this.userMapping.mapUser(createAuthenticatedPrincipal.toString());
                rewriteUserHeaderToMappedUser(orElseThrow, containerRequestContext.getHeaders(), mapUser);
                return Identity.forUser(mapUser).withPrincipal(createAuthenticatedPrincipal).build();
            } catch (UserMappingException | AccessDeniedException e) {
                if (authenticationException == null) {
                    authenticationException = needAuthentication(e.getMessage());
                } else {
                    authenticationException.addSuppressed(needAuthentication(e.getMessage()));
                }
            } catch (RuntimeException e2) {
                throw new RuntimeException("Authentication error", e2);
            }
        }
        Verify.verify(authenticationException != null, "exception not set", new Object[0]);
        throw authenticationException;
    }

    private void rewriteUserHeaderToMappedUser(BasicAuthCredentials basicAuthCredentials, MultivaluedMap<String, String> multivaluedMap, String str) {
        try {
            String requestUser = ProtocolHeaders.detectProtocol(this.alternateHeaderName, multivaluedMap.keySet()).requestUser();
            if (basicAuthCredentials.getUser().equals(multivaluedMap.getFirst(requestUser))) {
                multivaluedMap.putSingle(requestUser, str);
            }
        } catch (ProtocolDetectionException e) {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static AuthenticationException needAuthentication(String str) {
        return new AuthenticationException(str, BasicAuthCredentials.AUTHENTICATE_HEADER);
    }
}
