package io.trino.server.ui;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.hash.Hashing;
import com.google.common.io.BaseEncoding;
import com.google.common.io.Resources;
import com.google.errorprone.annotations.concurrent.GuardedBy;
import com.google.inject.Inject;
import com.google.inject.Key;
import com.google.inject.multibindings.OptionalBinder;
import io.airlift.http.client.HttpUriBuilder;
import io.airlift.http.server.HttpServerConfig;
import io.airlift.http.server.HttpServerInfo;
import io.airlift.http.server.testing.TestingHttpServer;
import io.airlift.jaxrs.JaxrsBinder;
import io.airlift.node.NodeInfo;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.impl.DefaultClaims;
import io.jsonwebtoken.security.Keys;
import io.trino.client.OkHttpUtil;
import io.trino.metadata.MetadataManager;
import io.trino.security.AccessControl;
import io.trino.server.HttpRequestSessionContextFactory;
import io.trino.server.ProtocolConfig;
import io.trino.server.protocol.PreparedStatementEncoder;
import io.trino.server.security.PasswordAuthenticatorManager;
import io.trino.server.security.ResourceSecurity;
import io.trino.server.security.jwt.JwtUtil;
import io.trino.server.security.oauth2.ChallengeFailedException;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.security.oauth2.TokenPairSerializer;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PasswordAuthenticator;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.io.File;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.CookieManager;
import java.net.HttpCookie;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.time.ZonedDateTime;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import okhttp3.FormBody;
import okhttp3.JavaNetCookieJar;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInstance;
import org.testng.Assert;

@TestInstance(TestInstance.Lifecycle.PER_CLASS)
/* loaded from: input_file:io/trino/server/ui/TestWebUi.class */
public class TestWebUi {
    private static final String ALLOWED_USER_MAPPING_PATTERN = "(.*)@allowed";
    private static final String TEST_USER = "test-user";
    private static final String AUTHENTICATED_USER = "test-user@allowed";
    private static final String FORM_LOGIN_USER = "form-login-user";
    private static final String TEST_PASSWORD = "test-password";
    private static final String TEST_PASSWORD2 = "test-password2";
    private static final PrivateKey JWK_PRIVATE_KEY;
    private static final String REFRESH_TOKEN = "REFRESH_TOKEN";
    private OkHttpClient client;
    private Path passwordConfigDummy;
    private static final String LOCALHOST_KEYSTORE = Resources.getResource("cert/localhost.pem").getPath();
    private static final ImmutableMap<String, String> SECURE_PROPERTIES = ImmutableMap.builder().put("http-server.https.enabled", "true").put("http-server.https.keystore.path", LOCALHOST_KEYSTORE).put("http-server.https.keystore.key", "").put("http-server.process-forwarded", "true").put("http-server.authentication.allow-insecure-over-http", "true").buildOrThrow();
    private static final String STATE_KEY = "test-state-key";
    public static final String TOKEN_ISSUER = "http://example.com/";
    public static final String OAUTH_CLIENT_ID = "client";
    private static final ImmutableMap<String, String> OAUTH2_PROPERTIES = ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.authentication.type", "oauth2").put("http-server.authentication.oauth2.state-key", STATE_KEY).put("http-server.authentication.oauth2.issuer", TOKEN_ISSUER).put("http-server.authentication.oauth2.auth-url", TOKEN_ISSUER).put("http-server.authentication.oauth2.token-url", TOKEN_ISSUER).put("http-server.authentication.oauth2.client-id", OAUTH_CLIENT_ID).put("http-server.authentication.oauth2.client-secret", "client-secret").put("http-server.authentication.oauth2.oidc.discovery", "false").buildOrThrow();
    private static final String HMAC_KEY = Resources.getResource("hmac_key.txt").getPath();
    private static final Duration REFRESH_TOKEN_TIMEOUT = Duration.ofMinutes(1);

    /* loaded from: input_file:io/trino/server/ui/TestWebUi$AuthenticatedIdentityCapturingFilter.class */
    private static class AuthenticatedIdentityCapturingFilter implements ContainerRequestFilter {

        @GuardedBy("this")
        private Identity authenticatedIdentity;

        private AuthenticatedIdentityCapturingFilter() {
        }

        public synchronized void filter(ContainerRequestContext containerRequestContext) throws IOException {
            Optional ofNullable = Optional.ofNullable((Identity) containerRequestContext.getProperty("trino.authenticated-identity"));
            String str = "<internal>";
            if (ofNullable.map((v0) -> {
                return v0.getUser();
            }).filter(Predicate.not((v1) -> {
                return r1.equals(v1);
            })).isPresent()) {
                if (this.authenticatedIdentity == null) {
                    this.authenticatedIdentity = (Identity) ofNullable.get();
                }
                Preconditions.checkState(this.authenticatedIdentity.equals(ofNullable.get()), "Detected more than one user identity");
            }
        }

        public synchronized Identity getAuthenticatedIdentity() {
            return this.authenticatedIdentity;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/ui/TestWebUi$JwkServlet.class */
    public static class JwkServlet extends HttpServlet {
        private JwkServlet() {
        }

        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            httpServletResponse.getWriter().println(Resources.toString(Resources.getResource("jwk/jwk-public.json"), StandardCharsets.UTF_8));
        }
    }

    /* loaded from: input_file:io/trino/server/ui/TestWebUi$OAuth2ClientStub.class */
    private static class OAuth2ClientStub implements OAuth2Client {
        private static final SecureRandom secureRandom = new SecureRandom();
        private final Claims claims;
        private final String accessToken;
        private final Duration accessTokenValidity;
        private final Optional<String> nonce;
        private final Optional<String> idToken;

        public OAuth2ClientStub() {
            this(true, Duration.ofSeconds(5L));
        }

        public OAuth2ClientStub(boolean z, Duration duration) {
            this(ImmutableMap.of(), duration, z);
        }

        public OAuth2ClientStub(Map<String, String> map, Duration duration, boolean z) {
            this.claims = new DefaultClaims(createClaims());
            this.claims.putAll((Map) Objects.requireNonNull(map, "additionalClaims is null"));
            this.accessTokenValidity = (Duration) Objects.requireNonNull(duration, "accessTokenValidity is null");
            this.accessToken = issueToken(this.claims);
            if (z) {
                this.nonce = Optional.of(randomNonce());
                this.idToken = Optional.of(issueToken(new DefaultClaims(ImmutableMap.builder().putAll(this.claims).put("nonce", this.nonce.get()).buildOrThrow())));
            } else {
                this.nonce = Optional.empty();
                this.idToken = Optional.empty();
            }
        }

        public void load() {
        }

        public OAuth2Client.Request createAuthorizationRequest(String str, URI uri) {
            return new OAuth2Client.Request(URI.create("http://example.com/authorize"), this.nonce);
        }

        public OAuth2Client.Response getOAuth2Response(String str, URI uri, Optional<String> optional) {
            if ("TEST_CODE".equals(str)) {
                return new OAuth2Client.Response(this.accessToken, Instant.now().plus((TemporalAmount) this.accessTokenValidity), this.idToken, Optional.of(TestWebUi.REFRESH_TOKEN));
            }
            throw new IllegalArgumentException("Expected TEST_CODE");
        }

        public Optional<Map<String, Object>> getClaims(String str) {
            return Optional.of(this.claims);
        }

        public OAuth2Client.Response refreshTokens(String str) throws ChallengeFailedException {
            if (str.equals(TestWebUi.REFRESH_TOKEN)) {
                return new OAuth2Client.Response(issueToken(this.claims), Instant.now().plusSeconds(30L), this.idToken, Optional.of(TestWebUi.REFRESH_TOKEN));
            }
            throw new ChallengeFailedException("invalid refresh token");
        }

        public String getAccessToken() {
            return this.accessToken;
        }

        private static String issueToken(Claims claims) {
            return JwtUtil.newJwtBuilder().signWith(TestWebUi.JWK_PRIVATE_KEY).setHeaderParam("kid", "test-rsa").setClaims(claims).compact();
        }

        private static Claims createClaims() {
            return new DefaultClaims().setIssuer(TestWebUi.TOKEN_ISSUER).setAudience(TestWebUi.OAUTH_CLIENT_ID).setSubject(TestWebUi.TEST_USER).setExpiration(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(5L))));
        }

        public static String randomNonce() {
            byte[] bArr = new byte[32];
            secureRandom.nextBytes(bArr);
            return BaseEncoding.base64Url().encode(bArr);
        }
    }

    @jakarta.ws.rs.Path("/ui/username")
    /* loaded from: input_file:io/trino/server/ui/TestWebUi$TestResource.class */
    public static class TestResource {
        private final HttpRequestSessionContextFactory sessionContextFactory;

        @Inject
        public TestResource(AccessControl accessControl) {
            this.sessionContextFactory = new HttpRequestSessionContextFactory(new PreparedStatementEncoder(new ProtocolConfig()), MetadataManager.createTestMetadataManager(), (v0) -> {
                return ImmutableSet.of(v0);
            }, accessControl);
        }

        @ResourceSecurity(ResourceSecurity.AccessType.WEB_UI)
        @GET
        public Response echoToken(@Context HttpServletRequest httpServletRequest, @Context HttpHeaders httpHeaders) {
            return Response.ok().header("user", this.sessionContextFactory.extractAuthorizedIdentity(httpServletRequest, httpHeaders, Optional.empty()).getUser()).build();
        }
    }

    @BeforeAll
    public void setup() throws IOException {
        OkHttpClient.Builder followRedirects = new OkHttpClient.Builder().followRedirects(false);
        OkHttpUtil.setupSsl(followRedirects, Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), false);
        this.client = followRedirects.build();
        this.passwordConfigDummy = Files.createTempFile("passwordConfigDummy", "", new FileAttribute[0]);
        this.passwordConfigDummy.toFile().deleteOnExit();
    }

    @Test
    public void testInsecureAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setAdditionalModule(binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
        }).build();
        try {
            testFormAuthentication(build, (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class)), AUTHENTICATED_USER, TEST_PASSWORD, false);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "PaSSworD").put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setAdditionalModule(binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
        }).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestWebUi::authenticate});
            testFormAuthentication(build, (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class)), AUTHENTICATED_USER, TEST_PASSWORD, true);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultiplePasswordAuthenticators() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setAdditionalModule(binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
        }).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestWebUi::authenticate, TestWebUi::authenticate2});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testFormAuthentication(build, httpServerInfo, AUTHENTICATED_USER, TEST_PASSWORD, true);
            testFormAuthentication(build, httpServerInfo, AUTHENTICATED_USER, TEST_PASSWORD2, true);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testFormAuthentication(TestingTrinoServer testingTrinoServer, HttpServerInfo httpServerInfo, String str, String str2, boolean z) throws Exception {
        testRootRedirect(httpServerInfo.getHttpUri(), this.client);
        testRootRedirect(httpServerInfo.getHttpsUri(), this.client);
        String nodeId = ((NodeInfo) testingTrinoServer.getInstance(Key.get(NodeInfo.class))).getNodeId();
        testWorkerResource(nodeId, httpServerInfo.getHttpUri(), str, str2, false);
        testWorkerResource(nodeId, httpServerInfo.getHttpsUri(), str, str2, z);
        testLoggedOut(httpServerInfo.getHttpUri());
        testLoggedOut(httpServerInfo.getHttpsUri());
        testLogIn(httpServerInfo.getHttpUri(), str, str2, false);
        testLogIn(httpServerInfo.getHttpsUri(), str, str2, z);
        testFailedLogin(httpServerInfo.getHttpUri(), false, str2);
        testFailedLogin(httpServerInfo.getHttpsUri(), z, str2);
        testUserMapping(httpServerInfo.getHttpsUri(), str, str2, z);
    }

    private static void testRootRedirect(URI uri, OkHttpClient okHttpClient) throws IOException {
        assertRedirect(okHttpClient, HttpUriBuilder.uriBuilderFrom(uri).toString(), getUiLocation(uri));
    }

    private void testLoggedOut(URI uri) throws IOException {
        assertRedirect(this.client, getUiLocation(uri), getLoginHtmlLocation(uri));
        assertRedirect(this.client, getLocation(uri, "/ui/query.html", "abc123"), getLocation(uri, "/ui/login.html", "/ui/query.html?abc123"), false);
        assertResponseCode(this.client, getValidApiLocation(uri), 401);
        assertOk(this.client, getValidAssetsLocation(uri));
        assertOk(this.client, getValidVendorLocation(uri));
    }

    private void testLogIn(URI uri, String str, String str2, boolean z) throws Exception {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        String orElseThrow = assertOk(build, getLoginHtmlLocation(uri)).orElseThrow(() -> {
            return new AssertionError("No response body");
        });
        Assertions.assertThat(orElseThrow).contains(new CharSequence[]{"action=\"/ui/login\""});
        Assertions.assertThat(orElseThrow).contains(new CharSequence[]{"method=\"post\""});
        Assertions.assertThat(orElseThrow).doesNotContain(new CharSequence[]{"// This value will be replaced"});
        if (z) {
            Assertions.assertThat(orElseThrow).contains(new CharSequence[]{"var hidePassword = false;"});
        } else {
            Assertions.assertThat(orElseThrow).contains(new CharSequence[]{"var hidePassword = true;"});
        }
        logIn(uri, build, str, str2, z);
        HttpCookie httpCookie = (HttpCookie) Iterables.getOnlyElement(cookieManager.getCookieStore().getCookies());
        Assert.assertEquals(httpCookie.getPath(), "/ui");
        Assert.assertEquals(httpCookie.getDomain(), uri.getHost());
        Assert.assertEquals(httpCookie.getMaxAge(), -1L);
        Assert.assertTrue(httpCookie.isHttpOnly());
        assertOk(build, getUiLocation(uri));
        assertOk(build, getValidApiLocation(uri));
        assertResponseCode(build, getLocation(uri, "/ui/unknown"), 404);
        assertResponseCode(build, getLocation(uri, "/ui/api/unknown"), 404);
        assertRedirect(build, getLogoutLocation(uri), getLoginHtmlLocation(uri), false);
        Assertions.assertThat(cookieManager.getCookieStore().getCookies()).isEmpty();
    }

    private void testFailedLogin(URI uri, boolean z, String str) throws IOException {
        testFailedLogin(uri, Optional.empty(), Optional.empty());
        testFailedLogin(uri, Optional.empty(), Optional.of(str));
        testFailedLogin(uri, Optional.empty(), Optional.of("unknown"));
        if (z) {
            testFailedLogin(uri, Optional.of(TEST_USER), Optional.of("unknown"));
            testFailedLogin(uri, Optional.of(AUTHENTICATED_USER), Optional.of("unknown"));
            testFailedLogin(uri, Optional.of(FORM_LOGIN_USER), Optional.of("unknown"));
            testFailedLogin(uri, Optional.of("unknown"), Optional.of(str));
            testFailedLogin(uri, Optional.of(TEST_USER), Optional.empty());
            testFailedLogin(uri, Optional.of(AUTHENTICATED_USER), Optional.empty());
            testFailedLogin(uri, Optional.of(FORM_LOGIN_USER), Optional.empty());
            testFailedLogin(uri, Optional.of("unknown"), Optional.empty());
        }
    }

    private void testFailedLogin(URI uri, Optional<String> optional, Optional<String> optional2) throws IOException {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        FormBody.Builder builder = new FormBody.Builder();
        optional.ifPresent(str -> {
            builder.add("username", str);
        });
        optional2.ifPresent(str2 -> {
            builder.add("password", str2);
        });
        okhttp3.Response execute = build.newCall(new Request.Builder().url(getLoginLocation(uri)).post(builder.build()).build()).execute();
        try {
            Assert.assertEquals(execute.code(), 303);
            Assert.assertEquals(execute.header("Location"), getLoginHtmlLocation(uri));
            Assert.assertTrue(cookieManager.getCookieStore().getCookies().isEmpty());
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testWorkerResource(String str, URI uri, String str2, String str3, boolean z) throws Exception {
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(new CookieManager())).build();
        logIn(uri, build, str2, str3, z);
        testWorkerResource(str, uri, build);
    }

    private static void testWorkerResource(String str, URI uri, OkHttpClient okHttpClient) throws IOException {
        assertOk(okHttpClient, getLocation(uri, "/ui/api/worker/" + str + "/status"));
        assertOk(okHttpClient, getLocation(uri, "/ui/api/worker/" + str + "/thread"));
    }

    private void testUserMapping(URI uri, String str, String str2, boolean z) throws Exception {
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(new CookieManager())).build();
        logIn(uri, build, str, str2, z);
        okhttp3.Response execute = build.newCall(new Request.Builder().url(getLocation(uri, "/ui/username/")).build()).execute();
        try {
            Assert.assertEquals(execute.code(), 200);
            Assert.assertEquals(execute.header("user"), TEST_USER);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void logIn(URI uri, OkHttpClient okHttpClient, String str, String str2, boolean z) throws IOException {
        FormBody.Builder add = new FormBody.Builder().add("username", str);
        if (z) {
            add.add("password", str2);
        }
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(getLoginLocation(uri)).post(add.build()).build()).execute();
        Assert.assertEquals(execute.code(), 303);
        Assert.assertEquals(execute.header("Location"), getUiLocation(uri));
    }

    @Test
    public void testDisabled() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.enabled", "false").buildOrThrow()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testDisabled(httpServerInfo.getHttpUri());
            testDisabled(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testDisabled(URI uri) throws Exception {
        assertRedirect(this.client, getUiLocation(uri), getDisabledLocation(uri));
        assertRedirect(this.client, getLocation(uri, "/ui/query.html", "abc123"), getDisabledLocation(uri));
        assertResponseCode(this.client, getValidApiLocation(uri), 401);
        assertRedirect(this.client, getLoginLocation(uri), getDisabledLocation(uri));
        assertRedirect(this.client, getLogoutLocation(uri), getDisabledLocation(uri));
        assertOk(this.client, getValidAssetsLocation(uri));
        assertOk(this.client, getValidVendorLocation(uri));
    }

    @Test
    public void testNoPasswordAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("password-authenticator.config-files", this.passwordConfigDummy.toString()).buildOrThrow()).build();
        try {
            FormAuthenticator formAuthenticator = (FormAuthenticator) build.getInstance(Key.get(FormAuthenticator.class));
            Assertions.assertThatThrownBy(() -> {
                formAuthenticator.isValidCredential(TEST_USER, TEST_USER, true);
            }).hasMessage("authenticators were not loaded").isInstanceOf(IllegalStateException.class);
            Assert.assertTrue(formAuthenticator.isLoginEnabled(true));
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.authentication.type", "fixed").put("web-ui.user", TEST_USER).buildOrThrow()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            String nodeId = ((NodeInfo) build.getInstance(Key.get(NodeInfo.class))).getNodeId();
            testAlwaysAuthorized(httpServerInfo.getHttpUri(), this.client, nodeId);
            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), this.client, nodeId);
            testFixedAuthenticator(httpServerInfo.getHttpUri());
            testFixedAuthenticator(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testFixedAuthenticator(URI uri) throws Exception {
        assertOk(this.client, getUiLocation(uri));
        assertOk(this.client, getValidApiLocation(uri));
        assertResponseCode(this.client, getLocation(uri, "/ui/unknown"), 404);
        assertResponseCode(this.client, getLocation(uri, "/ui/api/unknown"), 404);
    }

    @Test
    public void testCertAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "certificate").put("http-server.https.truststore.path", LOCALHOST_KEYSTORE).put("http-server.https.truststore.key", "").buildOrThrow()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            String nodeId = ((NodeInfo) build.getInstance(Key.get(NodeInfo.class))).getNodeId();
            testLogIn(httpServerInfo.getHttpUri(), FORM_LOGIN_USER, TEST_PASSWORD, false);
            testNeverAuthorized(httpServerInfo.getHttpsUri(), this.client);
            OkHttpClient.Builder newBuilder = this.client.newBuilder();
            OkHttpUtil.setupSsl(newBuilder, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), false);
            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), newBuilder.build(), nodeId);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).buildOrThrow()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            String nodeId = ((NodeInfo) build.getInstance(Key.get(NodeInfo.class))).getNodeId();
            testLogIn(httpServerInfo.getHttpUri(), FORM_LOGIN_USER, TEST_PASSWORD, false);
            testNeverAuthorized(httpServerInfo.getHttpsUri(), this.client);
            String compact = JwtUtil.newJwtBuilder().signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(Files.readString(Paths.get(HMAC_KEY, new String[0])).trim()))).setSubject(TEST_USER).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
            }).build(), nodeId);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtWithJwkAuthenticator() throws Exception {
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", createTestingJwkServer.getBaseUrl().toString()).buildOrThrow()).build();
            try {
                HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
                String nodeId = ((NodeInfo) build.getInstance(Key.get(NodeInfo.class))).getNodeId();
                testLogIn(httpServerInfo.getHttpUri(), FORM_LOGIN_USER, TEST_PASSWORD, false);
                testNeverAuthorized(httpServerInfo.getHttpsUri(), this.client);
                String compact = JwtUtil.newJwtBuilder().signWith(JWK_PRIVATE_KEY).setHeaderParam("kid", "test-rsa").setSubject(TEST_USER).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
                testAlwaysAuthorized(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
                }).build(), nodeId);
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testOAuth2Authenticator() throws Exception {
        OAuth2ClientStub oAuth2ClientStub = new OAuth2ClientStub();
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).buildOrThrow()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(oAuth2ClientStub);
            }).build();
            try {
                assertAuth2Authentication(build, oAuth2ClientStub.getAccessToken(), false);
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testOAuth2AuthenticatorWithoutOpenIdScope() throws Exception {
        OAuth2ClientStub oAuth2ClientStub = new OAuth2ClientStub(false, Duration.ofSeconds(5L));
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.scopes", "").buildOrThrow()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(oAuth2ClientStub);
            }).build();
            try {
                assertAuth2Authentication(build, oAuth2ClientStub.getAccessToken(), false);
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testOAuth2AuthenticatorWithRefreshToken() throws Exception {
        OAuth2ClientStub oAuth2ClientStub = new OAuth2ClientStub(false, Duration.ofSeconds(5L));
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.refresh-tokens", "true").put("http-server.authentication.oauth2.refresh-tokens.issued-token.timeout", REFRESH_TOKEN_TIMEOUT.getSeconds() + "s").buildOrThrow()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(oAuth2ClientStub);
            }).build();
            try {
                assertAuth2Authentication(build, oAuth2ClientStub.getAccessToken(), true);
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testOAuth2AuthenticatorRedirectAfterAuthTokenRefresh() throws Exception {
        OAuth2ClientStub oAuth2ClientStub = new OAuth2ClientStub(false, Duration.ZERO);
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.refresh-tokens", "true").put("http-server.authentication.oauth2.refresh-tokens.issued-token.timeout", REFRESH_TOKEN_TIMEOUT.getSeconds() + "s").buildOrThrow()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(oAuth2ClientStub);
            }).build();
            try {
                CookieManager cookieManager = new CookieManager();
                OkHttpClient build2 = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
                URI httpsUri = ((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri();
                loginWithCallbackEndpoint(build2, httpsUri);
                assertCookieWithRefreshToken(build, (HttpCookie) Iterables.getOnlyElement(cookieManager.getCookieStore().getCookies()), oAuth2ClientStub.getAccessToken());
                assertResponseCode(build2, getValidApiLocation(httpsUri), 307);
                assertOk(build2, getValidApiLocation(httpsUri));
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testOAuth2AuthenticatorRefreshTokenExpiration() throws Exception {
        OAuth2ClientStub oAuth2ClientStub = new OAuth2ClientStub(false, Duration.ofSeconds(5L));
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.refresh-tokens", "true").put("http-server.authentication.oauth2.refresh-tokens.issued-token.timeout", "10s").buildOrThrow()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(oAuth2ClientStub);
            }).build();
            try {
                CookieManager cookieManager = new CookieManager();
                OkHttpClient build2 = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
                URI httpsUri = ((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri();
                loginWithCallbackEndpoint(build2, httpsUri);
                HttpCookie httpCookie = (HttpCookie) Iterables.getOnlyElement(cookieManager.getCookieStore().getCookies());
                assertOk(build2, getValidApiLocation(httpsUri));
                io.trino.testing.assertions.Assert.assertEventually(() -> {
                    Assertions.assertThat(cookieManager.getCookieStore().getCookies()).isEmpty();
                });
                assertResponseCode(build2, getValidApiLocation(httpsUri), Response.Status.UNAUTHORIZED.getStatusCode());
                HttpCookie httpCookie2 = new HttpCookie(httpCookie.getName(), httpCookie.getValue());
                httpCookie2.setPath(httpCookie.getPath());
                cookieManager.getCookieStore().add(httpsUri, httpCookie2);
                assertResponseCode(build2, getValidApiLocation(httpsUri), Response.Status.UNAUTHORIZED.getStatusCode());
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testCustomPrincipalField() throws Exception {
        OAuth2ClientStub oAuth2ClientStub = new OAuth2ClientStub(ImmutableMap.builder().put("sub", "unknown").put("preferred_username", "test-user@email.com").buildOrThrow(), Duration.ofSeconds(5L), true);
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(OAUTH2_PROPERTIES).put("http-server.authentication.oauth2.jwks-url", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.principal-field", "preferred_username").put("http-server.authentication.oauth2.user-mapping.pattern", "(.*)@.*").buildOrThrow()).setAdditionalModule(binder -> {
                OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(oAuth2ClientStub);
                JaxrsBinder.jaxrsBinder(binder).bind(AuthenticatedIdentityCapturingFilter.class);
            }).build();
            try {
                assertAuth2Authentication(build, oAuth2ClientStub.getAccessToken(), false);
                Identity authenticatedIdentity = ((AuthenticatedIdentityCapturingFilter) build.getInstance(Key.get(AuthenticatedIdentityCapturingFilter.class))).getAuthenticatedIdentity();
                Assertions.assertThat(authenticatedIdentity.getUser()).isEqualTo(TEST_USER);
                Assertions.assertThat(authenticatedIdentity.getPrincipal()).isEqualTo(Optional.of(new BasicPrincipal("test-user@email.com")));
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    private void assertAuth2Authentication(TestingTrinoServer testingTrinoServer, String str, boolean z) throws Exception {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        HttpServerInfo httpServerInfo = (HttpServerInfo) testingTrinoServer.getInstance(Key.get(HttpServerInfo.class));
        testDisabled(httpServerInfo.getHttpUri());
        URI httpsUri = httpServerInfo.getHttpsUri();
        testRootRedirect(httpsUri, build);
        assertRedirect(build, getUiLocation(httpsUri), "http://example.com/authorize", false);
        assertResponseCode(build, getValidApiLocation(httpsUri), Response.Status.UNAUTHORIZED.getStatusCode());
        assertRedirect(build, getLocation(httpsUri, "/ui/unknown"), "http://example.com/authorize", false);
        assertResponseCode(build, getLocation(httpsUri, "/ui/api/unknown"), Response.Status.UNAUTHORIZED.getStatusCode());
        loginWithCallbackEndpoint(build, httpsUri);
        HttpCookie httpCookie = (HttpCookie) Iterables.getOnlyElement(cookieManager.getCookieStore().getCookies());
        if (z) {
            assertCookieWithRefreshToken(testingTrinoServer, httpCookie, str);
        } else {
            Assert.assertEquals(httpCookie.getValue(), str);
            Assertions.assertThat(httpCookie.getMaxAge()).isGreaterThan(0L).isLessThan(30L);
        }
        Assert.assertEquals(httpCookie.getPath(), "/ui/");
        Assert.assertEquals(httpCookie.getDomain(), httpsUri.getHost());
        Assert.assertTrue(httpCookie.isHttpOnly());
        testRootRedirect(httpsUri, build);
        assertOk(build, getUiLocation(httpsUri));
        assertOk(build, getUiLocation(httpsUri));
        assertOk(build, getValidApiLocation(httpsUri));
        assertResponseCode(build, getLocation(httpsUri, "/ui/unknown"), 404);
        assertResponseCode(build, getLocation(httpsUri, "/ui/api/unknown"), 404);
        assertOk(build, getLogoutLocation(httpsUri));
        Assertions.assertThat(cookieManager.getCookieStore().getCookies()).isEmpty();
        assertRedirect(build, getUiLocation(httpsUri), "http://example.com/authorize", false);
    }

    private static void loginWithCallbackEndpoint(OkHttpClient okHttpClient, URI uri) throws IOException {
        assertRedirect(okHttpClient, HttpUriBuilder.uriBuilderFrom(uri).replacePath("/oauth2/callback").addParameter("code", new String[]{"TEST_CODE"}).addParameter("state", new String[]{JwtUtil.newJwtBuilder().signWith(Keys.hmacShaKeyFor(Hashing.sha256().hashString(STATE_KEY, StandardCharsets.UTF_8).asBytes())).setAudience("trino_oauth_ui").setExpiration(Date.from(ZonedDateTime.now().plusMinutes(10L).toInstant())).compact()}).toString(), getUiLocation(uri), false);
    }

    private static void assertCookieWithRefreshToken(TestingTrinoServer testingTrinoServer, HttpCookie httpCookie, String str) {
        TokenPairSerializer.TokenPair deserialize = ((TokenPairSerializer) testingTrinoServer.getInstance(Key.get(TokenPairSerializer.class))).deserialize(httpCookie.getValue());
        Assert.assertEquals(deserialize.accessToken(), str);
        Assert.assertEquals(deserialize.refreshToken(), Optional.of(REFRESH_TOKEN));
        Assertions.assertThat(httpCookie.getMaxAge()).isGreaterThan(0L).isLessThan(REFRESH_TOKEN_TIMEOUT.getSeconds());
    }

    private static void testAlwaysAuthorized(URI uri, OkHttpClient okHttpClient, String str) throws IOException {
        testRootRedirect(uri, okHttpClient);
        testWorkerResource(str, uri, okHttpClient);
        assertOk(okHttpClient, getUiLocation(uri));
        assertOk(okHttpClient, getValidApiLocation(uri));
        assertRedirect(okHttpClient, getLoginHtmlLocation(uri), getUiLocation(uri), false);
        assertRedirect(okHttpClient, getLoginLocation(uri), getUiLocation(uri), false);
        assertRedirect(okHttpClient, getLogoutLocation(uri), getUiLocation(uri), false);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/unknown"), 404);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/api/unknown"), 404);
    }

    private static void testNeverAuthorized(URI uri, OkHttpClient okHttpClient) throws IOException {
        testRootRedirect(uri, okHttpClient);
        assertResponseCode(okHttpClient, getUiLocation(uri), 401);
        assertResponseCode(okHttpClient, getValidApiLocation(uri), 401);
        assertResponseCode(okHttpClient, getLoginLocation(uri), 401, true);
        assertResponseCode(okHttpClient, getLogoutLocation(uri), 401);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/unknown"), 401);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/api/unknown"), 401);
    }

    private static Optional<String> assertOk(OkHttpClient okHttpClient, String str) throws IOException {
        return assertResponseCode(okHttpClient, str, 200);
    }

    private static void assertRedirect(OkHttpClient okHttpClient, String str, String str2) throws IOException {
        assertRedirect(okHttpClient, str, str2, true);
    }

    private static void assertRedirect(OkHttpClient okHttpClient, String str, String str2, boolean z) throws IOException {
        Request build = new Request.Builder().url(str).build();
        if (str.endsWith("/ui/login")) {
            build = build.newBuilder().post(new FormBody.Builder().add("username", "test").add("password", "test").build()).build();
        }
        okhttp3.Response execute = okHttpClient.newCall(build).execute();
        try {
            Assert.assertEquals(execute.code(), 303);
            Assert.assertEquals(execute.header("Location"), str2);
            if (execute != null) {
                execute.close();
            }
            if (z) {
                okhttp3.Response execute2 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").header("X-Forwarded-Host", "my-load-balancer.local").header("X-Forwarded-Port", "123").build()).execute();
                try {
                    Assert.assertEquals(execute2.code(), 303);
                    Assert.assertEquals(execute2.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").host("my-load-balancer.local").port(123).toString());
                    if (execute2 != null) {
                        execute2.close();
                    }
                    okhttp3.Response execute3 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").header("X-Forwarded-Host", "my-load-balancer.local:123").build()).execute();
                    try {
                        Assert.assertEquals(execute3.code(), 303);
                        Assert.assertEquals(execute3.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").host("my-load-balancer.local").port(123).toString());
                        if (execute3 != null) {
                            execute3.close();
                        }
                        okhttp3.Response execute4 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").header("X-Forwarded-Port", "123").build()).execute();
                        try {
                            Assert.assertEquals(execute4.code(), 303);
                            Assert.assertEquals(execute4.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").port(123).toString());
                            if (execute4 != null) {
                                execute4.close();
                            }
                            okhttp3.Response execute5 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").build()).execute();
                            try {
                                Assert.assertEquals(execute5.code(), 303);
                                Assert.assertEquals(execute5.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").toString());
                                if (execute5 != null) {
                                    execute5.close();
                                }
                                okhttp3.Response execute6 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Host", "my-load-balancer.local").header("X-Forwarded-Port", "123").build()).execute();
                                try {
                                    Assert.assertEquals(execute6.code(), 303);
                                    Assert.assertEquals(execute6.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).host("my-load-balancer.local").port(123).toString());
                                    if (execute6 != null) {
                                        execute6.close();
                                    }
                                    okhttp3.Response execute7 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Host", "my-load-balancer.local:123").build()).execute();
                                    try {
                                        Assert.assertEquals(execute7.code(), 303);
                                        Assert.assertEquals(execute7.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).host("my-load-balancer.local").port(123).toString());
                                        if (execute7 != null) {
                                            execute7.close();
                                        }
                                        execute4 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Host", "my-load-balancer.local").build()).execute();
                                        try {
                                            Assert.assertEquals(execute4.code(), 303);
                                            Assert.assertEquals(execute4.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).host("my-load-balancer.local").defaultPort().toString());
                                            if (execute4 != null) {
                                                execute4.close();
                                            }
                                        } finally {
                                        }
                                    } finally {
                                    }
                                } finally {
                                    if (execute6 != null) {
                                        try {
                                            execute6.close();
                                        } catch (Throwable th) {
                                            th.addSuppressed(th);
                                        }
                                    }
                                }
                            } finally {
                                if (execute5 != null) {
                                    try {
                                        execute5.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                }
                            }
                        } finally {
                            if (execute4 != null) {
                                try {
                                    execute4.close();
                                } catch (Throwable th3) {
                                    th.addSuppressed(th3);
                                }
                            }
                        }
                    } finally {
                        if (execute3 != null) {
                            try {
                                execute3.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        }
                    }
                } finally {
                    if (execute2 != null) {
                        try {
                            execute2.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    }
                }
            }
        } finally {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th6) {
                    th.addSuppressed(th6);
                }
            }
        }
    }

    private static Optional<String> assertResponseCode(OkHttpClient okHttpClient, String str, int i) throws IOException {
        return assertResponseCode(okHttpClient, str, i, false);
    }

    private static Optional<String> assertResponseCode(OkHttpClient okHttpClient, String str, int i, boolean z) throws IOException {
        Request build = new Request.Builder().url(str).build();
        if (z) {
            build = build.newBuilder().post(new FormBody.Builder().add("username", "fake").add("password", "bad").build()).build();
        }
        okhttp3.Response execute = okHttpClient.newCall(build).execute();
        try {
            Assert.assertEquals(execute.code(), i, str);
            Optional<String> map = Optional.ofNullable(execute.body()).map(responseBody -> {
                try {
                    return responseBody.string();
                } catch (IOException e) {
                    throw new UncheckedIOException(e);
                }
            });
            if (execute != null) {
                execute.close();
            }
            return map;
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static Principal authenticate(String str, String str2) {
        if (AUTHENTICATED_USER.equals(str) && TEST_PASSWORD.equals(str2)) {
            return new BasicPrincipal(AUTHENTICATED_USER);
        }
        throw new AccessDeniedException("Invalid credentials");
    }

    private static Principal authenticate2(String str, String str2) {
        if (AUTHENTICATED_USER.equals(str) && TEST_PASSWORD2.equals(str2)) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials");
    }

    private static String getUiLocation(URI uri) {
        return getLocation(uri, "/ui/");
    }

    private static String getLoginHtmlLocation(URI uri) {
        return getLocation(uri, "/ui/login.html");
    }

    private static String getLoginLocation(URI uri) {
        return getLocation(uri, "/ui/login");
    }

    private static String getLogoutLocation(URI uri) {
        return getLocation(uri, "/ui/logout");
    }

    private static String getDisabledLocation(URI uri) {
        return getLocation(uri, "/ui/disabled.html");
    }

    private static String getValidApiLocation(URI uri) {
        return getLocation(uri, "/ui/api/cluster");
    }

    private static String getValidAssetsLocation(URI uri) {
        return getLocation(uri, "/ui/assets/favicon.ico");
    }

    private static String getValidVendorLocation(URI uri) {
        return getLocation(uri, "/ui/vendor/bootstrap/css/bootstrap.css");
    }

    private static String getLocation(URI uri, String str) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).toString();
    }

    private static String getLocation(URI uri, String str, String str2) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).replaceParameter(str2, new String[0]).toString();
    }

    private static TestingHttpServer createTestingJwkServer() throws IOException {
        NodeInfo nodeInfo = new NodeInfo("test");
        HttpServerConfig httpPort = new HttpServerConfig().setHttpPort(0);
        return new TestingHttpServer(new HttpServerInfo(httpPort, nodeInfo), nodeInfo, httpPort, new JwkServlet(), ImmutableMap.of());
    }

    static {
        try {
            JWK_PRIVATE_KEY = PemReader.loadPrivateKey(new File(Resources.getResource("jwk/jwk-rsa-private.pem").toURI()), Optional.empty());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
