package io.trino.server.security.oauth2;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import com.google.inject.Key;
import io.airlift.http.client.HttpClientConfig;
import io.airlift.http.client.jetty.JettyHttpClient;
import io.airlift.log.Level;
import io.airlift.log.Logging;
import io.airlift.testing.Closeables;
import io.trino.client.OkHttpUtil;
import io.trino.server.security.jwt.JwkService;
import io.trino.server.security.jwt.JwkSigningKeyResolver;
import io.trino.server.security.jwt.JwtUtil;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.server.ui.OAuth2WebUiAuthenticationFilter;
import io.trino.server.ui.WebUiModule;
import java.net.CookieManager;
import java.net.CookieStore;
import java.net.HttpCookie;
import java.net.URI;
import java.time.Duration;
import okhttp3.JavaNetCookieJar;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInstance;
import org.junit.jupiter.api.parallel.Execution;
import org.junit.jupiter.api.parallel.ExecutionMode;

@Execution(ExecutionMode.CONCURRENT)
@TestInstance(TestInstance.Lifecycle.PER_CLASS)
/* loaded from: input_file:io/trino/server/security/oauth2/TestOAuth2WebUiAuthenticationFilterWithRefreshTokens.class */
public class TestOAuth2WebUiAuthenticationFilterWithRefreshTokens {
    protected static final Duration TTL_ACCESS_TOKEN_IN_SECONDS = Duration.ofSeconds(5);
    protected static final String TRINO_CLIENT_ID = "trino-client";
    protected static final String TRINO_CLIENT_SECRET = "trino-secret";
    private static final String TRINO_AUDIENCE = "trino-client";
    private static final String ADDITIONAL_AUDIENCE = "https://external-service.com";
    protected static final String TRUSTED_CLIENT_ID = "trusted-client";
    protected OkHttpClient httpClient;
    protected TestingHydraIdentityProvider hydraIdP;
    private TestingTrinoServer server;
    private URI serverUri;
    private URI uiUri;

    @BeforeAll
    public void setup() throws Exception {
        Logging initialize = Logging.initialize();
        initialize.setLevel(OAuth2WebUiAuthenticationFilter.class.getName(), Level.DEBUG);
        initialize.setLevel(OAuth2Service.class.getName(), Level.DEBUG);
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        OkHttpUtil.setupInsecureSsl(builder);
        builder.followRedirects(false);
        this.httpClient = builder.build();
        this.hydraIdP = new TestingHydraIdentityProvider(TTL_ACCESS_TOKEN_IN_SECONDS, true, false);
        this.hydraIdP.start();
        String str = "https://localhost:" + this.hydraIdP.getAuthPort();
        this.server = TestingTrinoServer.builder().setCoordinator(true).setAdditionalModule(new WebUiModule()).setProperties(ImmutableMap.builder().put("web-ui.enabled", "true").put("web-ui.authentication.type", "oauth2").put("http-server.https.enabled", "true").put("http-server.https.keystore.path", Resources.getResource("cert/localhost.pem").getPath()).put("http-server.https.keystore.key", "").put("http-server.authentication.oauth2.issuer", "https://localhost:4444/").put("http-server.authentication.oauth2.auth-url", str + "/oauth2/auth").put("http-server.authentication.oauth2.token-url", str + "/oauth2/token").put("http-server.authentication.oauth2.end-session-url", str + "/oauth2/sessions/logout").put("http-server.authentication.oauth2.jwks-url", str + "/.well-known/jwks.json").put("http-server.authentication.oauth2.client-id", "trino-client").put("http-server.authentication.oauth2.client-secret", TRINO_CLIENT_SECRET).put("http-server.authentication.oauth2.additional-audiences", TRUSTED_CLIENT_ID).put("http-server.authentication.oauth2.max-clock-skew", "0s").put("http-server.authentication.oauth2.user-mapping.pattern", "(.*)(@.*)?").put("http-server.authentication.oauth2.oidc.discovery", "false").put("http-server.authentication.oauth2.scopes", "openid,offline").put("http-server.authentication.oauth2.refresh-tokens", "true").put("oauth2-jwk.http-client.trust-store-path", Resources.getResource("cert/localhost.pem").getPath()).buildOrThrow()).build();
        ((OAuth2Client) this.server.getInstance(Key.get(OAuth2Client.class))).load();
        this.serverUri = this.server.getHttpsBaseUrl();
        this.uiUri = this.serverUri.resolve("/ui/");
        this.hydraIdP.createClient("trino-client", TRINO_CLIENT_SECRET, TokenEndpointAuthMethod.CLIENT_SECRET_BASIC, ImmutableList.of("trino-client", ADDITIONAL_AUDIENCE), this.serverUri + "/oauth2/callback", this.serverUri + "/ui/logout/logout.html");
    }

    @AfterAll
    public void tearDown() throws Exception {
        Logging initialize = Logging.initialize();
        initialize.clearLevel(OAuth2WebUiAuthenticationFilter.class.getName());
        initialize.clearLevel(OAuth2Service.class.getName());
        Closeables.closeAll(new AutoCloseable[]{this.server, this.hydraIdP, () -> {
            this.httpClient.dispatcher().executorService().shutdown();
            this.httpClient.connectionPool().evictAll();
        }});
        this.server = null;
        this.hydraIdP = null;
        this.httpClient = null;
    }

    @Test
    public void testSuccessfulFlowWithRefreshedAccessToken() throws Exception {
        CookieManager cookieManager = new CookieManager();
        CookieStore cookieStore = cookieManager.getCookieStore();
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        OkHttpUtil.setupInsecureSsl(builder);
        OkHttpClient build = builder.followRedirects(true).cookieJar(new JavaNetCookieJar(cookieManager)).build();
        Assertions.assertThat(cookieStore.get(this.uiUri)).isEmpty();
        accessUi(build);
        HttpCookie orElseThrow = cookieStore.get(this.uiUri).stream().filter(httpCookie -> {
            return httpCookie.getName().equals("__Secure-Trino-ID-Token");
        }).findFirst().orElseThrow();
        Thread.sleep(TTL_ACCESS_TOKEN_IN_SECONDS.plusSeconds(1L).toMillis());
        accessUi(build);
        HttpCookie orElseThrow2 = cookieStore.get(this.uiUri).stream().filter(httpCookie2 -> {
            return httpCookie2.getName().equals("__Secure-Trino-ID-Token");
        }).findFirst().orElseThrow();
        Assertions.assertThat(orElseThrow2.getValue()).isEqualTo(orElseThrow.getValue());
        assertTokenIsExpired(orElseThrow2.getValue());
        Response execute = build.newCall(new Request.Builder().url(this.uiUri.resolve("logout").toURL()).get().build()).execute();
        try {
            Assertions.assertThat(execute.code()).isEqualTo(200);
            Assertions.assertThat(execute.request().url().toString()).isEqualTo(this.uiUri.resolve("logout/logout.html").toString());
            if (execute != null) {
                execute.close();
            }
            Assertions.assertThat(cookieStore.get(this.uiUri)).isEmpty();
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected void assertTokenIsExpired(String str) {
        Assertions.assertThatThrownBy(() -> {
            JwtUtil.newJwtParserBuilder().setSigningKeyResolver(new JwkSigningKeyResolver(new JwkService(URI.create("https://localhost:" + this.hydraIdP.getAuthPort() + "/.well-known/jwks.json"), new JettyHttpClient(new HttpClientConfig().setTrustStorePath(Resources.getResource("cert/localhost.pem").getPath()))))).build().parseClaimsJws(str);
        });
    }

    private void accessUi(OkHttpClient okHttpClient) throws Exception {
        Response execute = okHttpClient.newCall(new Request.Builder().url(this.uiUri.toURL()).get().build()).execute();
        try {
            Assertions.assertThat(execute.code()).isEqualTo(200);
            Assertions.assertThat(execute.request().url().toString()).isEqualTo(this.uiUri.toString());
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
