package io.trino.server.security.oauth2;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import com.google.common.net.InetAddresses;
import com.google.inject.Key;
import com.nimbusds.oauth2.sdk.GrantType;
import io.airlift.http.server.HttpServerConfig;
import io.airlift.http.server.HttpServerInfo;
import io.airlift.http.server.testing.TestingHttpServer;
import io.airlift.log.Level;
import io.airlift.log.Logging;
import io.airlift.node.NodeConfig;
import io.airlift.node.NodeInfo;
import io.trino.client.OkHttpUtil;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.server.ui.OAuth2WebUiAuthenticationFilter;
import io.trino.server.ui.WebUiModule;
import io.trino.testing.ResourcePresence;
import io.trino.util.AutoCloseableCloser;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.time.Duration;
import java.util.List;
import java.util.Objects;
import okhttp3.Credentials;
import okhttp3.FormBody;
import okhttp3.HttpUrl;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import org.testcontainers.containers.FixedHostPortGenericContainer;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.Network;
import org.testcontainers.containers.PostgreSQLContainer;
import org.testcontainers.containers.startupcheck.OneShotStartupCheckStrategy;
import org.testcontainers.containers.wait.strategy.Wait;
import org.testcontainers.containers.wait.strategy.WaitAllStrategy;
import org.testcontainers.utility.MountableFile;

/* loaded from: input_file:io/trino/server/security/oauth2/TestingHydraIdentityProvider.class */
public class TestingHydraIdentityProvider implements AutoCloseable {
    private static final String HYDRA_IMAGE = "oryd/hydra:v1.10.6";
    private static final String ISSUER = "https://localhost:4444/";
    private static final String DSN = "postgres://hydra:mysecretpassword@database:5432/hydra?sslmode=disable";
    private final Network network;
    private final PostgreSQLContainer<?> databaseContainer;
    private final GenericContainer<?> migrationContainer;
    private final AutoCloseableCloser closer;
    private final ObjectMapper mapper;
    private final Duration ttlAccessToken;
    private final boolean useJwt;
    private final boolean exposeFixedPorts;
    private final OkHttpClient httpClient;
    private FixedHostPortGenericContainer<?> hydraContainer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/oauth2/TestingHydraIdentityProvider$AcceptAllLoginsAndConsentsServlet.class */
    public class AcceptAllLoginsAndConsentsServlet extends HttpServlet {
        private final ObjectMapper mapper = new ObjectMapper();
        private final OkHttpClient httpClient;

        public AcceptAllLoginsAndConsentsServlet() {
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            OkHttpUtil.setupInsecureSsl(builder);
            this.httpClient = builder.build();
        }

        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            if (httpServletRequest.getPathInfo().equals("/login")) {
                acceptLogin(httpServletRequest, httpServletResponse);
            } else if (httpServletRequest.getPathInfo().contains("/consent")) {
                acceptConsent(httpServletRequest, httpServletResponse);
            } else {
                httpServletResponse.setStatus(404);
            }
        }

        private void acceptLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            Response acceptLogin = acceptLogin(httpServletRequest.getParameter("login_challenge"));
            try {
                sendRedirect(acceptLogin, httpServletResponse);
                if (acceptLogin != null) {
                    acceptLogin.close();
                }
            } catch (Throwable th) {
                if (acceptLogin != null) {
                    try {
                        acceptLogin.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        private void acceptConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            String parameter = httpServletRequest.getParameter("consent_challenge");
            Response acceptConsent = acceptConsent(parameter, getConsentRequest(parameter));
            try {
                sendRedirect(acceptConsent, httpServletResponse);
                if (acceptConsent != null) {
                    acceptConsent.close();
                }
            } catch (Throwable th) {
                if (acceptConsent != null) {
                    try {
                        acceptConsent.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        private Response acceptLogin(String str) throws IOException {
            return this.httpClient.newCall(new Request.Builder().url("https://localhost:" + TestingHydraIdentityProvider.this.getAdminPort() + "/oauth2/auth/requests/login/accept?login_challenge=" + str).put(RequestBody.create(MediaType.get("application/json"), this.mapper.writeValueAsString(this.mapper.createObjectNode().put("subject", "foo@bar.com")))).build()).execute();
        }

        private JsonNode getConsentRequest(String str) throws IOException {
            Response execute = this.httpClient.newCall(new Request.Builder().url("https://localhost:" + TestingHydraIdentityProvider.this.getAdminPort() + "/oauth2/auth/requests/consent?consent_challenge=" + str).get().build()).execute();
            try {
                Objects.requireNonNull(execute.body());
                JsonNode readTree = this.mapper.readTree(execute.body().byteStream());
                if (execute != null) {
                    execute.close();
                }
                return readTree;
            } catch (Throwable th) {
                if (execute != null) {
                    try {
                        execute.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        private Response acceptConsent(String str, JsonNode jsonNode) throws IOException {
            return this.httpClient.newCall(new Request.Builder().url("https://localhost:" + TestingHydraIdentityProvider.this.getAdminPort() + "/oauth2/auth/requests/consent/accept?consent_challenge=" + str).put(RequestBody.create(MediaType.get("application/json"), this.mapper.writeValueAsString(this.mapper.createObjectNode().set("grant_scope", jsonNode.get("requested_scope")).set("grant_access_token_audience", jsonNode.get("requested_access_token_audience"))))).build()).execute();
        }

        private void sendRedirect(Response response, HttpServletResponse httpServletResponse) throws IOException {
            Objects.requireNonNull(response.body());
            httpServletResponse.sendRedirect(toHostUrl(this.mapper.readTree(response.body().byteStream()).get("redirect_to").textValue()));
        }

        private String toHostUrl(String str) {
            return HttpUrl.get(str).newBuilder().port(TestingHydraIdentityProvider.this.getAuthPort()).toString();
        }
    }

    public TestingHydraIdentityProvider() {
        this(Duration.ofMinutes(30L), true, false);
    }

    public TestingHydraIdentityProvider(Duration duration, boolean z, boolean z2) {
        this.network = Network.newNetwork();
        this.databaseContainer = new PostgreSQLContainer().withNetwork(this.network).withNetworkAliases(new String[]{"database"}).withUsername("hydra").withPassword("mysecretpassword").withDatabaseName("hydra");
        this.migrationContainer = createHydraContainer().withCommand(new String[]{"migrate", "sql", "--yes", DSN}).withStartupCheckStrategy(new OneShotStartupCheckStrategy().withTimeout(Duration.ofMinutes(5L)));
        this.closer = AutoCloseableCloser.create();
        this.mapper = new ObjectMapper();
        this.ttlAccessToken = (Duration) Objects.requireNonNull(duration, "ttlAccessToken is null");
        this.useJwt = z;
        this.exposeFixedPorts = z2;
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        OkHttpUtil.setupInsecureSsl(builder);
        builder.followRedirects(false);
        this.httpClient = builder.build();
        this.closer.register(this.network);
        this.closer.register(this.databaseContainer);
        this.closer.register(this.migrationContainer);
    }

    public void start() throws Exception {
        this.databaseContainer.start();
        this.migrationContainer.start();
        TestingHttpServer createTestingLoginAndConsentServer = createTestingLoginAndConsentServer();
        AutoCloseableCloser autoCloseableCloser = this.closer;
        Objects.requireNonNull(createTestingLoginAndConsentServer);
        autoCloseableCloser.register(createTestingLoginAndConsentServer::stop);
        createTestingLoginAndConsentServer.start();
        URI baseUrl = createTestingLoginAndConsentServer.getBaseUrl();
        this.hydraContainer = createHydraContainer().withNetworkAliases(new String[]{"hydra"}).withExposedPorts(new Integer[]{4444, 4445}).withEnv("DSN", DSN).withEnv("URLS_SELF_ISSUER", ISSUER).withEnv("URLS_CONSENT", baseUrl + "/consent").withEnv("URLS_LOGIN", baseUrl + "/login").withEnv("SERVE_TLS_KEY_PATH", "/tmp/certs/localhost.pem").withEnv("SERVE_TLS_CERT_PATH", "/tmp/certs/localhost.pem").withEnv("TTL_ACCESS_TOKEN", this.ttlAccessToken.getSeconds() + "s").withEnv("TTL_ID_TOKEN", this.ttlAccessToken.getSeconds() + "s").withEnv("STRATEGIES_ACCESS_TOKEN", this.useJwt ? "jwt" : null).withEnv("LOG_LEAK_SENSITIVE_VALUES", "true").withCommand(new String[]{"serve", "all"}).withCopyFileToContainer(MountableFile.forClasspathResource("/cert"), "/tmp/certs").waitingFor(new WaitAllStrategy().withStrategy(Wait.forLogMessage(".*Setting up http server on :4444.*", 1)).withStrategy(Wait.forLogMessage(".*Setting up http server on :4445.*", 1)));
        if (this.exposeFixedPorts) {
            this.hydraContainer = this.hydraContainer.withFixedExposedPort(4444, 4444).withFixedExposedPort(4445, 4445);
        }
        this.closer.register(this.hydraContainer);
        this.hydraContainer.start();
    }

    public FixedHostPortGenericContainer<?> createHydraContainer() {
        return new FixedHostPortGenericContainer(HYDRA_IMAGE).withNetwork(this.network);
    }

    public void createClient(String str, String str2, TokenEndpointAuthMethod tokenEndpointAuthMethod, List<String> list, String str3, String str4) {
        createHydraContainer().withCommand(new String[]{"clients", "create", "--endpoint", "https://hydra:4445", "--skip-tls-verify", "--id", str, "--secret", str2, "--audience", String.join(",", list), "--grant-types", "authorization_code,refresh_token,client_credentials", "--response-types", "token,code,id_token", "--scope", "openid,offline", "--token-endpoint-auth-method", tokenEndpointAuthMethod.getValue(), "--callbacks", str3, "--post-logout-callbacks", str4}).withStartupCheckStrategy(new OneShotStartupCheckStrategy().withTimeout(Duration.ofSeconds(30L))).start();
    }

    public String getToken(String str, String str2, List<String> list) throws IOException {
        Response execute = this.httpClient.newCall(new Request.Builder().url("https://localhost:" + getAuthPort() + "/oauth2/token").addHeader("Authorization", Credentials.basic(str, str2)).post(new FormBody.Builder().add("grant_type", GrantType.CLIENT_CREDENTIALS.getValue()).add("audience", String.join(" ", list)).build()).build()).execute();
        try {
            Preconditions.checkState(execute.code() == 200);
            Objects.requireNonNull(execute.body());
            String textValue = this.mapper.readTree(execute.body().byteStream()).get("access_token").textValue();
            if (execute != null) {
                execute.close();
            }
            return textValue;
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public int getAuthPort() {
        return this.hydraContainer.getMappedPort(4444).intValue();
    }

    public int getAdminPort() {
        return this.hydraContainer.getMappedPort(4445).intValue();
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
        this.closer.close();
    }

    private TestingHttpServer createTestingLoginAndConsentServer() throws IOException {
        NodeInfo nodeInfo = new NodeInfo(new NodeConfig().setEnvironment("test").setNodeInternalAddress(InetAddresses.toAddrString(InetAddress.getLocalHost())));
        HttpServerConfig httpPort = new HttpServerConfig().setHttpPort(0);
        return new TestingHttpServer(new HttpServerInfo(httpPort, nodeInfo), nodeInfo, httpPort, new AcceptAllLoginsAndConsentsServlet(), ImmutableMap.of());
    }

    private static void runTestServer(boolean z) throws Exception {
        TestingHydraIdentityProvider testingHydraIdentityProvider = new TestingHydraIdentityProvider(Duration.ofMinutes(30L), z, true);
        try {
            testingHydraIdentityProvider.start();
            testingHydraIdentityProvider.createClient("trino-client", "trino-secret", TokenEndpointAuthMethod.CLIENT_SECRET_BASIC, ImmutableList.of("https://localhost:8443/ui"), "https://localhost:8443/oauth2/callback", "https://localhost:8443/ui/logout/logout.html");
            TestingTrinoServer build = TestingTrinoServer.builder().setCoordinator(true).setAdditionalModule(new WebUiModule()).setProperties(ImmutableMap.builder().put("web-ui.enabled", "true").put("web-ui.authentication.type", "oauth2").put("http-server.https.port", "8443").put("http-server.https.enabled", "true").put("http-server.https.keystore.path", Resources.getResource("cert/localhost.pem").getPath()).put("http-server.https.keystore.key", "").put("http-server.authentication.type", "oauth2").put("http-server.authentication.oauth2.issuer", ISSUER).put("http-server.authentication.oauth2.client-id", "trino-client").put("http-server.authentication.oauth2.client-secret", "trino-secret").put("http-server.authentication.oauth2.user-mapping.pattern", "(.*)@.*").put("http-server.authentication.oauth2.oidc.use-userinfo-endpoint", String.valueOf(!z)).put("oauth2-jwk.http-client.trust-store-path", Resources.getResource("cert/localhost.pem").getPath()).buildOrThrow()).build();
            try {
                ((OAuth2Client) build.getInstance(Key.get(OAuth2Client.class))).load();
                Thread.sleep(Long.MAX_VALUE);
                if (build != null) {
                    build.close();
                }
                testingHydraIdentityProvider.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                testingHydraIdentityProvider.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @ResourcePresence
    public boolean isRunning() {
        return (this.hydraContainer.getContainerId() == null && this.databaseContainer.getContainerId() == null && this.migrationContainer.getContainerId() == null) ? false : true;
    }

    public static void main(String[] strArr) throws Exception {
        Logging initialize = Logging.initialize();
        try {
            initialize.setLevel(OAuth2WebUiAuthenticationFilter.class.getName(), Level.DEBUG);
            initialize.setLevel(OAuth2Service.class.getName(), Level.DEBUG);
            runTestServer(false);
        } finally {
            initialize.clearLevel(OAuth2WebUiAuthenticationFilter.class.getName());
            initialize.clearLevel(OAuth2Service.class.getName());
        }
    }
}
