package io.trino.server.security.oauth2;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.inject.Inject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderConfigurationRequest;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import dev.failsafe.Failsafe;
import dev.failsafe.RetryPolicy;
import io.airlift.http.client.HttpStatus;
import io.airlift.json.ObjectMapperProvider;
import io.airlift.log.Logger;
import io.trino.server.security.oauth2.OAuth2ServerConfigProvider;
import java.net.URI;
import java.time.Duration;
import java.util.Objects;
import java.util.Optional;

/* loaded from: input_file:io/trino/server/security/oauth2/OidcDiscovery.class */
public class OidcDiscovery implements OAuth2ServerConfigProvider {
    private static final Logger LOG = Logger.get(OidcDiscovery.class);
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapperProvider().get();
    private final Issuer issuer;
    private final Duration discoveryTimeout;
    private final boolean userinfoEndpointEnabled;
    private final Optional<String> accessTokenIssuer;
    private final Optional<String> authUrl;
    private final Optional<String> tokenUrl;
    private final Optional<String> jwksUrl;
    private final Optional<String> userinfoUrl;
    private final NimbusHttpClient httpClient;

    @Inject
    public OidcDiscovery(OAuth2Config oAuth2Config, OidcDiscoveryConfig oidcDiscoveryConfig, NimbusHttpClient nimbusHttpClient) {
        this.issuer = new Issuer((String) Objects.requireNonNull(oAuth2Config.getIssuer(), "issuer is null"));
        this.userinfoEndpointEnabled = oidcDiscoveryConfig.isUserinfoEndpointEnabled();
        this.discoveryTimeout = Duration.ofMillis(((io.airlift.units.Duration) Objects.requireNonNull(oidcDiscoveryConfig.getDiscoveryTimeout(), "discoveryTimeout is null")).toMillis());
        this.accessTokenIssuer = (Optional) Objects.requireNonNull(oidcDiscoveryConfig.getAccessTokenIssuer(), "accessTokenIssuer is null");
        this.authUrl = (Optional) Objects.requireNonNull(oidcDiscoveryConfig.getAuthUrl(), "authUrl is null");
        this.tokenUrl = (Optional) Objects.requireNonNull(oidcDiscoveryConfig.getTokenUrl(), "tokenUrl is null");
        this.jwksUrl = (Optional) Objects.requireNonNull(oidcDiscoveryConfig.getJwksUrl(), "jwksUrl is null");
        this.userinfoUrl = (Optional) Objects.requireNonNull(oidcDiscoveryConfig.getUserinfoUrl(), "userinfoUrl is null");
        this.httpClient = (NimbusHttpClient) Objects.requireNonNull(nimbusHttpClient, "httpClient is null");
    }

    @Override // io.trino.server.security.oauth2.OAuth2ServerConfigProvider
    public OAuth2ServerConfigProvider.OAuth2ServerConfig get() {
        return (OAuth2ServerConfigProvider.OAuth2ServerConfig) Failsafe.with(RetryPolicy.builder().withMaxAttempts(-1).withMaxDuration(this.discoveryTimeout).withDelay(Duration.ofSeconds(1L)).abortOn(IllegalStateException.class).onFailedAttempt(executionAttemptedEvent -> {
            LOG.debug("OpenID Connect Metadata read failed: %s", new Object[]{executionAttemptedEvent.getLastException()});
        }).build(), new RetryPolicy[0]).get(() -> {
            return (OAuth2ServerConfigProvider.OAuth2ServerConfig) this.httpClient.execute(new OIDCProviderConfigurationRequest(this.issuer), this::parseConfigurationResponse);
        });
    }

    private OAuth2ServerConfigProvider.OAuth2ServerConfig parseConfigurationResponse(HTTPResponse hTTPResponse) throws ParseException {
        int statusCode = hTTPResponse.getStatusCode();
        if (statusCode == HttpStatus.OK.code()) {
            return readConfiguration(hTTPResponse.getContent());
        }
        if (statusCode < 400 || statusCode >= 500 || statusCode == HttpStatus.REQUEST_TIMEOUT.code() || statusCode == HttpStatus.TOO_MANY_REQUESTS.code()) {
            throw new RuntimeException("Invalid response from OpenID Metadata endpoint: " + statusCode);
        }
        throw new IllegalStateException(String.format("Invalid response from OpenID Metadata endpoint. Expected response code to be %s, but was %s", Integer.valueOf(HttpStatus.OK.code()), Integer.valueOf(statusCode)));
    }

    private OAuth2ServerConfigProvider.OAuth2ServerConfig readConfiguration(String str) throws ParseException {
        OIDCProviderMetadata parse = OIDCProviderMetadata.parse(str);
        checkMetadataState(this.issuer.equals(parse.getIssuer()), "The value of the \"issuer\" claim in Metadata document different than the Issuer URL used for the Configuration Request.", new String[0]);
        try {
            return new OAuth2ServerConfigProvider.OAuth2ServerConfig(getOptionalField("access_token_issuer", Optional.ofNullable(OBJECT_MAPPER.readTree(str).get("access_token_issuer")).map((v0) -> {
                return v0.textValue();
            }), StaticOAuth2ServerConfiguration.ACCESS_TOKEN_ISSUER, this.accessTokenIssuer), getRequiredField("authorization_endpoint", parse.getAuthorizationEndpointURI(), StaticOAuth2ServerConfiguration.AUTH_URL, this.authUrl), getRequiredField("token_endpoint", parse.getTokenEndpointURI(), StaticOAuth2ServerConfiguration.TOKEN_URL, this.tokenUrl), getRequiredField("jwks_uri", parse.getJWKSetURI(), StaticOAuth2ServerConfiguration.JWKS_URL, this.jwksUrl), (this.userinfoEndpointEnabled ? getOptionalField("userinfo_endpoint", Optional.ofNullable(parse.getUserInfoEndpointURI()).map((v0) -> {
                return v0.toString();
            }), StaticOAuth2ServerConfiguration.USERINFO_URL, this.userinfoUrl) : Optional.empty()).map(URI::create));
        } catch (JsonProcessingException e) {
            throw new ParseException("Invalid JSON value", e);
        }
    }

    private static URI getRequiredField(String str, URI uri, String str2, Optional<String> optional) {
        Optional<String> optionalField = getOptionalField(str, Optional.ofNullable(uri).map((v0) -> {
            return v0.toString();
        }), str2, optional);
        checkMetadataState(optionalField.isPresent(), "Missing required \"%s\" property.", str);
        return URI.create(optionalField.get());
    }

    private static Optional<String> getOptionalField(String str, Optional<String> optional, String str2, Optional<String> optional2) {
        if (optional2.isEmpty()) {
            return optional;
        }
        if (optional.isEmpty()) {
            return optional2;
        }
        if (optional2.equals(optional)) {
            LOG.warn("Provided redundant configuration property \"%s\" with the same value as \"%s\" field in OpenID metadata document", new Object[]{str2, str});
        } else {
            LOG.warn("Overriding \"%s=%s\" from OpenID metadata document with value \"%s=%s\" defined in configuration", new Object[]{str, optional.orElse(""), str2, optional2.orElse("")});
        }
        return optional2;
    }

    private static void checkMetadataState(boolean z, String str, String... strArr) {
        Preconditions.checkState(z, "Invalid response from OpenID Metadata endpoint. " + str, strArr);
    }
}
