package io.trino.server.ui;

import com.google.common.base.MoreObjects;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.hash.Hashing;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.trino.server.ServletSecurityUtils;
import io.trino.server.security.AuthenticationException;
import io.trino.server.security.Authenticator;
import io.trino.spi.security.Identity;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.time.ZonedDateTime;
import java.util.Collection;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;

/* loaded from: input_file:io/trino/server/ui/FormWebUiAuthenticationFilter.class */
public class FormWebUiAuthenticationFilter implements WebUiAuthenticationFilter {
    private static final String TRINO_UI_AUDIENCE = "trino-ui";
    private static final String TRINO_UI_COOKIE = "Trino-UI-Token";
    static final String TRINO_FORM_LOGIN = "Trino-Form-Login";
    static final String LOGIN_FORM = "/ui/login.html";
    static final URI LOGIN_FORM_URI = URI.create(LOGIN_FORM);
    static final String DISABLED_LOCATION = "/ui/disabled.html";
    static final URI DISABLED_LOCATION_URI = URI.create(DISABLED_LOCATION);
    public static final String UI_LOCATION = "/ui/";
    static final URI UI_LOCATION_URI = URI.create(UI_LOCATION);
    static final String UI_LOGIN = "/ui/login";
    static final String UI_LOGOUT = "/ui/logout";
    private final Function<String, String> jwtParser;
    private final Function<String, String> jwtGenerator;
    private final FormAuthenticator formAuthenticator;
    private final Optional<Authenticator> authenticator;

    @Inject
    public FormWebUiAuthenticationFilter(FormWebUiConfig formWebUiConfig, FormAuthenticator formAuthenticator, @ForWebUi Optional<Authenticator> optional) {
        byte[] bArr;
        if (formWebUiConfig.getSharedSecret().isPresent()) {
            bArr = Hashing.sha256().hashString(formWebUiConfig.getSharedSecret().get(), StandardCharsets.UTF_8).asBytes();
        } else {
            bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
        }
        byte[] bArr2 = bArr;
        this.jwtParser = str -> {
            return parseJwt(bArr2, str);
        };
        long roundTo = formWebUiConfig.getSessionTimeout().roundTo(TimeUnit.NANOSECONDS);
        byte[] bArr3 = bArr;
        this.jwtGenerator = str2 -> {
            return generateJwt(bArr3, str2, roundTo);
        };
        this.formAuthenticator = (FormAuthenticator) Objects.requireNonNull(formAuthenticator, "formAuthenticator is null");
        this.authenticator = (Optional) Objects.requireNonNull(optional, "authenticator is null");
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getRequestUri().getPath();
        if (path.equals(DISABLED_LOCATION)) {
            return;
        }
        if (this.authenticator.isPresent() && containerRequestContext.getSecurityContext().isSecure()) {
            handleProtocolLoginRequest(this.authenticator.get(), containerRequestContext);
            return;
        }
        if ((path.equals(UI_LOGIN) && containerRequestContext.getMethod().equals("POST")) || path.equals(UI_LOGOUT)) {
            return;
        }
        Optional<String> authenticatedUsername = getAuthenticatedUsername(containerRequestContext);
        if (authenticatedUsername.isPresent()) {
            if (path.equals(LOGIN_FORM)) {
                containerRequestContext.abortWith(redirectFromSuccessfulLoginResponse(containerRequestContext.getUriInfo().getRequestUri().getQuery()).build());
                return;
            } else {
                ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, authenticatedUsername.get());
                return;
            }
        }
        if (path.startsWith("/ui/api/")) {
            ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, "Unauthorized", ImmutableSet.of(TRINO_FORM_LOGIN));
            return;
        }
        if (!isAuthenticationEnabled(containerRequestContext.getSecurityContext().isSecure())) {
            containerRequestContext.abortWith(Response.seeOther(DISABLED_LOCATION_URI).build());
        } else {
            if (path.equals(LOGIN_FORM)) {
                return;
            }
            containerRequestContext.abortWith(Response.seeOther(LOGIN_FORM_URI).build());
            containerRequestContext.abortWith(Response.seeOther(buildLoginFormURI(containerRequestContext.getUriInfo())).build());
        }
    }

    private static URI buildLoginFormURI(UriInfo uriInfo) {
        UriBuilder uri = uriInfo.getRequestUriBuilder().uri(LOGIN_FORM_URI);
        String path = uriInfo.getRequestUri().getPath();
        if (!Strings.isNullOrEmpty(uriInfo.getRequestUri().getQuery())) {
            path = path + "?" + uriInfo.getRequestUri().getQuery();
        }
        if (path.equals("/ui") || path.equals(UI_LOCATION)) {
            return uri.build(new Object[0]);
        }
        try {
            uri.uri(new URI(null, null, null, path, null));
        } catch (URISyntaxException e) {
        }
        return uri.build(new Object[0]);
    }

    private static void handleProtocolLoginRequest(Authenticator authenticator, ContainerRequestContext containerRequestContext) {
        try {
            Identity authenticate = authenticator.authenticate(containerRequestContext);
            if (redirectFormLoginToUi(containerRequestContext)) {
                return;
            }
            ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, authenticate);
        } catch (AuthenticationException e) {
            ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, (String) MoreObjects.firstNonNull(e.getMessage(), "Unauthorized"), (Collection) e.getAuthenticateHeader().map((v0) -> {
                return ImmutableSet.of(v0);
            }).orElse(ImmutableSet.of()));
        }
    }

    private static boolean redirectFormLoginToUi(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getRequestUri().getPath();
        if (!path.equals(LOGIN_FORM) && !path.equals(UI_LOGIN) && !path.equals(UI_LOGOUT)) {
            return false;
        }
        containerRequestContext.abortWith(Response.seeOther(UI_LOCATION_URI).build());
        return true;
    }

    public static Response.ResponseBuilder redirectFromSuccessfulLoginResponse(String str) {
        URI uri = UI_LOCATION_URI;
        String emptyToNull = Strings.emptyToNull(str);
        if (emptyToNull != null) {
            try {
                uri = new URI(emptyToNull);
            } catch (URISyntaxException e) {
            }
        }
        return Response.seeOther(uri);
    }

    public Optional<NewCookie> checkLoginCredentials(String str, String str2, boolean z) {
        return this.formAuthenticator.isValidCredential(str, str2, z).map(str3 -> {
            return createAuthenticationCookie(str3, z);
        });
    }

    private Optional<String> getAuthenticatedUsername(ContainerRequestContext containerRequestContext) {
        Cookie cookie = (Cookie) containerRequestContext.getCookies().get(TRINO_UI_COOKIE);
        if (cookie == null) {
            return Optional.empty();
        }
        try {
            return Optional.of(this.jwtParser.apply(cookie.getValue()));
        } catch (JwtException e) {
            return Optional.empty();
        } catch (RuntimeException e2) {
            throw new RuntimeException("Authentication error", e2);
        }
    }

    private NewCookie createAuthenticationCookie(String str, boolean z) {
        return new NewCookie(TRINO_UI_COOKIE, this.jwtGenerator.apply(str), "/ui", (String) null, 1, (String) null, -1, (Date) null, z, true);
    }

    public static NewCookie getDeleteCookie(boolean z) {
        return new NewCookie(TRINO_UI_COOKIE, "delete", "/ui", (String) null, 1, (String) null, 0, (Date) null, z, true);
    }

    public boolean isPasswordAllowed(boolean z) {
        return this.formAuthenticator.isPasswordAllowed(z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAuthenticationEnabled(boolean z) {
        return this.formAuthenticator.isLoginEnabled(z) || this.authenticator.isPresent();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String generateJwt(byte[] bArr, String str, long j) {
        return Jwts.builder().signWith(SignatureAlgorithm.HS256, bArr).setSubject(str).setExpiration(Date.from(ZonedDateTime.now().plusNanos(j).toInstant())).setAudience(TRINO_UI_AUDIENCE).compact();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String parseJwt(byte[] bArr, String str) {
        return ((Claims) Jwts.parser().setSigningKey(bArr).requireAudience(TRINO_UI_AUDIENCE).parseClaimsJws(str).getBody()).getSubject();
    }

    public static boolean redirectAllFormLoginToUi(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getRequestUri().getPath();
        if (!path.equals(LOGIN_FORM) && !path.equals(UI_LOGIN) && !path.equals(UI_LOGOUT)) {
            return false;
        }
        containerRequestContext.abortWith(Response.seeOther(UI_LOCATION_URI).build());
        return true;
    }
}
