package io.trino.server.security.oauth2;

import com.google.common.base.Strings;
import com.google.common.base.Verify;
import com.google.common.hash.Hashing;
import com.google.common.io.Resources;
import io.airlift.log.Logger;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.security.Keys;
import io.trino.server.security.jwt.JwtUtil;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.security.oauth2.TokenPairSerializer;
import io.trino.server.ui.FormWebUiAuthenticationFilter;
import io.trino.server.ui.OAuth2WebUiInstalled;
import io.trino.server.ui.OAuthWebUiCookie;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import javax.inject.Inject;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;

/* loaded from: input_file:io/trino/server/security/oauth2/OAuth2Service.class */
public class OAuth2Service {
    public static final String STATE = "state";
    public static final String NONCE = "nonce";
    public static final String OPENID_SCOPE = "openid";
    private static final String STATE_AUDIENCE_UI = "trino_oauth_ui";
    private static final String FAILURE_REPLACEMENT_TEXT = "<!-- ERROR_MESSAGE -->";
    public static final String HANDLER_STATE_CLAIM = "handler_state";
    private final OAuth2Client client;
    private final Optional<Duration> tokenExpiration;
    private final TokenPairSerializer tokenPairSerializer;
    private final String successHtml;
    private final String failureHtml;
    private final TemporalAmount challengeTimeout;
    private final Key stateHmac;
    private final JwtParser jwtParser;
    private final OAuth2TokenHandler tokenHandler;
    private final boolean webUiOAuthEnabled;
    private static final Logger LOG = Logger.get(OAuth2Service.class);
    private static final Random SECURE_RANDOM = new SecureRandom();

    @Inject
    public OAuth2Service(OAuth2Client oAuth2Client, OAuth2Config oAuth2Config, OAuth2TokenHandler oAuth2TokenHandler, TokenPairSerializer tokenPairSerializer, @ForRefreshTokens Optional<Duration> optional, Optional<OAuth2WebUiInstalled> optional2) throws IOException {
        this.client = (OAuth2Client) Objects.requireNonNull(oAuth2Client, "client is null");
        Objects.requireNonNull(oAuth2Config, "oauth2Config is null");
        this.successHtml = Resources.toString(Resources.getResource(getClass(), "/oauth2/success.html"), StandardCharsets.UTF_8);
        this.failureHtml = Resources.toString(Resources.getResource(getClass(), "/oauth2/failure.html"), StandardCharsets.UTF_8);
        Verify.verify(this.failureHtml.contains(FAILURE_REPLACEMENT_TEXT), "login.html does not contain the replacement text", new Object[0]);
        this.challengeTimeout = Duration.ofMillis(oAuth2Config.getChallengeTimeout().toMillis());
        this.stateHmac = Keys.hmacShaKeyFor((byte[]) oAuth2Config.getStateKey().map(str -> {
            return Hashing.sha256().hashString(str, StandardCharsets.UTF_8).asBytes();
        }).orElseGet(() -> {
            return secureRandomBytes(32);
        }));
        this.jwtParser = JwtUtil.newJwtParserBuilder().setSigningKey(this.stateHmac).requireAudience(STATE_AUDIENCE_UI).build();
        this.tokenHandler = (OAuth2TokenHandler) Objects.requireNonNull(oAuth2TokenHandler, "tokenHandler is null");
        this.tokenPairSerializer = (TokenPairSerializer) Objects.requireNonNull(tokenPairSerializer, "tokenPairSerializer is null");
        this.tokenExpiration = (Optional) Objects.requireNonNull(optional, "tokenExpiration is null");
        this.webUiOAuthEnabled = ((Optional) Objects.requireNonNull(optional2, "webUiOAuthEnabled is null")).isPresent();
    }

    public Response startOAuth2Challenge(URI uri, Optional<String> optional) {
        Instant plus = Instant.now().plus(this.challengeTimeout);
        OAuth2Client.Request createAuthorizationRequest = this.client.createAuthorizationRequest(JwtUtil.newJwtBuilder().signWith(this.stateHmac).setAudience(STATE_AUDIENCE_UI).claim(HANDLER_STATE_CLAIM, optional.orElse(null)).setExpiration(Date.from(plus)).compact(), uri);
        Response.ResponseBuilder seeOther = Response.seeOther(createAuthorizationRequest.getAuthorizationUri());
        createAuthorizationRequest.getNonce().ifPresent(str -> {
            seeOther.cookie(new NewCookie[]{NonceCookie.create(str, plus)});
        });
        return seeOther.build();
    }

    public Response handleOAuth2Error(String str, String str2, String str3, String str4) {
        try {
            Optional.ofNullable((String) parseState(str).get(HANDLER_STATE_CLAIM, String.class)).ifPresent(str5 -> {
                this.tokenHandler.setTokenExchangeError(str5, String.format("Authentication response could not be verified: error=%s, errorDescription=%s, errorUri=%s", str2, str3, str3));
            });
            LOG.debug("OAuth server returned an error: error=%s, error_description=%s, error_uri=%s, state=%s", new Object[]{str2, str3, str4, str});
            return Response.ok().entity(getCallbackErrorHtml(str2)).cookie(new NewCookie[]{NonceCookie.delete()}).build();
        } catch (ChallengeFailedException | RuntimeException e) {
            LOG.debug(e, "Authentication response could not be verified invalid state: state=%s", new Object[]{str});
            return Response.status(Response.Status.BAD_REQUEST).entity(getInternalFailureHtml("Authentication response could not be verified")).cookie(new NewCookie[]{NonceCookie.delete()}).build();
        }
    }

    public Response finishOAuth2Challenge(String str, String str2, URI uri, Optional<String> optional) {
        try {
            Optional ofNullable = Optional.ofNullable((String) parseState(str).get(HANDLER_STATE_CLAIM, String.class));
            try {
                OAuth2Client.Response oAuth2Response = this.client.getOAuth2Response(str2, uri, optional);
                if (ofNullable.isEmpty()) {
                    return Response.seeOther(URI.create(FormWebUiAuthenticationFilter.UI_LOCATION)).cookie(new NewCookie[]{OAuthWebUiCookie.create(this.tokenPairSerializer.serialize(TokenPairSerializer.TokenPair.fromOAuth2Response(oAuth2Response)), (Instant) this.tokenExpiration.map(duration -> {
                        return Instant.now().plus((TemporalAmount) duration);
                    }).orElse(oAuth2Response.getExpiration())), NonceCookie.delete()}).build();
                }
                this.tokenHandler.setAccessToken((String) ofNullable.get(), this.tokenPairSerializer.serialize(TokenPairSerializer.TokenPair.fromOAuth2Response(oAuth2Response)));
                Response.ResponseBuilder ok = Response.ok(getSuccessHtml());
                if (this.webUiOAuthEnabled) {
                    ok.cookie(new NewCookie[]{OAuthWebUiCookie.create(this.tokenPairSerializer.serialize(TokenPairSerializer.TokenPair.fromOAuth2Response(oAuth2Response)), (Instant) this.tokenExpiration.map(duration2 -> {
                        return Instant.now().plus((TemporalAmount) duration2);
                    }).orElse(oAuth2Response.getExpiration()))});
                }
                return ok.cookie(new NewCookie[]{NonceCookie.delete()}).build();
            } catch (ChallengeFailedException | RuntimeException e) {
                LOG.debug(e, "Authentication response could not be verified: state=%s", new Object[]{str});
                ofNullable.ifPresent(str3 -> {
                    this.tokenHandler.setTokenExchangeError(str3, String.format("Authentication response could not be verified: state=%s", str3));
                });
                return Response.status(Response.Status.BAD_REQUEST).cookie(new NewCookie[]{NonceCookie.delete()}).entity(getInternalFailureHtml("Authentication response could not be verified")).build();
            }
        } catch (ChallengeFailedException | RuntimeException e2) {
            LOG.debug(e2, "Authentication response could not be verified invalid state: state=%s", new Object[]{str});
            return Response.status(Response.Status.BAD_REQUEST).entity(getInternalFailureHtml("Authentication response could not be verified")).cookie(new NewCookie[]{NonceCookie.delete()}).build();
        }
    }

    private Claims parseState(String str) throws ChallengeFailedException {
        try {
            return (Claims) this.jwtParser.parseClaimsJws(str).getBody();
        } catch (RuntimeException e) {
            throw new ChallengeFailedException("State validation failed", e);
        }
    }

    public String getSuccessHtml() {
        return this.successHtml;
    }

    public String getCallbackErrorHtml(String str) {
        return this.failureHtml.replace(FAILURE_REPLACEMENT_TEXT, getOAuth2ErrorMessage(str));
    }

    public String getInternalFailureHtml(String str) {
        return this.failureHtml.replace(FAILURE_REPLACEMENT_TEXT, Strings.nullToEmpty(str));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] secureRandomBytes(int i) {
        byte[] bArr = new byte[i];
        SECURE_RANDOM.nextBytes(bArr);
        return bArr;
    }

    private static String getOAuth2ErrorMessage(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2054838772:
                if (str.equals("server_error")) {
                    z = 2;
                    break;
                }
                break;
            case -1307356897:
                if (str.equals("temporarily_unavailable")) {
                    z = 3;
                    break;
                }
                break;
            case -444618026:
                if (str.equals("access_denied")) {
                    z = false;
                    break;
                }
                break;
            case 1330404726:
                if (str.equals("unauthorized_client")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "OAuth2 server denied the login";
            case true:
                return "OAuth2 server does not allow request from this Trino server";
            case true:
                return "OAuth2 server had a failure";
            case true:
                return "OAuth2 server is temporarily unavailable";
            default:
                return "OAuth2 unknown error code: " + str;
        }
    }
}
