package io.trino.gateway.ha.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.dropwizard.auth.basic.BasicCredentials;
import io.trino.gateway.ha.config.FormAuthConfiguration;
import io.trino.gateway.ha.config.LdapConfiguration;
import io.trino.gateway.ha.config.UserConfiguration;
import jakarta.ws.rs.core.NewCookie;
import jakarta.ws.rs.core.Response;
import java.net.URI;
import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/trino/gateway/ha/security/LbFormAuthManager.class */
public class LbFormAuthManager {
    private static final Logger log = LoggerFactory.getLogger(LbFormAuthManager.class);
    private final FormAuthConfiguration configuration;
    private final LbKeyProvider lbKeyProvider;
    Map<String, UserConfiguration> presetUsers;
    private LdapConfiguration ldapConfiguration;
    private LbLdapClient lbLdapClient;

    public LbFormAuthManager(FormAuthConfiguration formAuthConfiguration, Map<String, UserConfiguration> map) {
        this.configuration = formAuthConfiguration;
        this.presetUsers = map;
        if (formAuthConfiguration != null) {
            this.lbKeyProvider = new LbKeyProvider(formAuthConfiguration.getSelfSignKeyPair());
        } else {
            this.lbKeyProvider = null;
        }
        if (formAuthConfiguration == null || formAuthConfiguration.getLdapConfigPath() == null) {
            this.lbLdapClient = null;
        } else {
            this.lbLdapClient = new LbLdapClient(LdapConfiguration.load(formAuthConfiguration.getLdapConfigPath()));
        }
    }

    public String getUserIdField() {
        return "sub";
    }

    public Response processLoginForm(String str, String str2) {
        if (!authenticate(new BasicCredentials(str, str2))) {
            return Response.status(302).location(URI.create("/")).build();
        }
        return Response.status(302).location(URI.create("/")).cookie(new NewCookie[]{SessionCookie.getTokenCookie(getSelfSignedToken(str))}).build();
    }

    public Optional<Map<String, Claim>> getClaimsFromIdToken(String str) {
        try {
            DecodedJWT decode = JWT.decode(str);
            if (LbTokenUtil.validateToken(str, this.lbKeyProvider.getRsaPublicKey(), decode.getIssuer())) {
                return Optional.of(decode.getClaims());
            }
        } catch (Exception e) {
            log.error("Could not validate token or get claims from it.", e);
        }
        return Optional.empty();
    }

    private String getSelfSignedToken(String str) {
        try {
            return JWT.create().withHeader(Map.of("alg", "RS256")).withIssuer("self").withSubject(str).sign(Algorithm.RSA256(this.lbKeyProvider.getRsaPublicKey(), this.lbKeyProvider.getRsaPrivateKey()));
        } catch (JWTCreationException e) {
            log.error("Error while creating the selfsigned token JWT");
            throw e;
        }
    }

    public boolean authenticate(BasicCredentials basicCredentials) {
        UserConfiguration userConfiguration;
        if (this.lbLdapClient == null || !this.lbLdapClient.authenticate(basicCredentials.getUsername(), basicCredentials.getPassword())) {
            return (this.presetUsers == null || (userConfiguration = this.presetUsers.get(basicCredentials.getUsername())) == null || !userConfiguration.getPassword().equals(basicCredentials.getPassword())) ? false : true;
        }
        return true;
    }
}
